Administrator May Be Unable to Edit Group Policy in Windows 2000 Domain (263166)

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

If you are an administrator, you may be unable to modify Group Policy in a Windows 2000 domain. In addition, if you attempt to start any tool located in Administrative Tools (including Group Policy Editor or saved custom consoles for Microsoft Management Console), the following error message may be displayed:

The snapin below, referenced in this document has been restricted by policy. Contact your administrator for details.
toolname

You may be able to run Mmc.exe, but you cannot add some snap-ins (they are not listed).

CAUSE

This behavior occurs because your user account is restricted with Group Policy. Depending on how the policy is configured, users with Administrator permissions may not be able to start Group Policy Editor (which is a Microsoft Management Console (MMC) snap-in) to modify Group Policy to allow access.

This behavior can occur if the following Group Policy is enabled at the domain level (for example, in the Default Domain Group Policy) without permitting the use of the Group Policy snap-in:

Restrict Users to the explicitly permitted list of snap-ins
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console)

You may also be unable to modify Group Policy if the Group Policy snap-in is disabled explicitly with one or both of the following Group Policies:

Group Policy snap-in
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy)

Administrative Templates (User)
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy)

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To temporarily allow the use of the Group Policy snap-in, use the following steps:

Start Registry Editor (Regedt32.exe).
Locate the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
Locate the RestrictToPermittedSnapins value and change it to 0.
Quit Registry Editor.
Try to start Group Policy Editor.

If you perform these steps and you still receive an error message when you attempt to use Group Policy Editor, use the following steps:

Start Registry Editor (Regedt32.exe).
Locate the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
Change the Restrict_Run value to 0 in the following keys if they exist:
{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}

{0F6B957E-509E-11D1-A7CC-0000F87571E3}
Quit Registry Editor.
Try to start Group Policy Editor.

MORE INFORMATION

The registry modifications described in this article are only temporary until Group Policy is reapplied (on a domain controller this is every 5 minutes by default).

To edit the policy that restricts access to Group Policy Editor, an administrator needs to be able to gain access to the Group Policy snap-in and the Administrative Templates under User Configuration. These items have the following Class IDs:

Administrative Templates(Users)
{0F6B957E-509E-11D1-A7CC-0000F87571E3}

Group Policy snap-in
{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}