This error may occur when using a Group Policy that restricts access to the MMC (Microsoft Management Console) and allows access to only explicitly defined snap-ins. In this case, it is when allowing only “Active Directory Users and Computers” for a particular user group.
This is essential if you are looking to delegate control of users within an OU to a different group of select logins to allow others to perform basics tasks like changing passwords without needing the domain administrator account.
The Snap-In required is “Active Directory Users and Computers”. This would be set to “Enabled” along with the main policy to restrict all other snap-ins allowing the specified users access to the Active Directory structure and the group/users they are controlling.
Attempting to login as a user delegated to perform password resets and attempting to launch the required snap-in as a restricted user may result in the following error:
The snap-in below, referenced in this document has been restricted by policy. Contact your administrator for details. Folder.
Clicking past this error message will result in the Snap-In loading and functioning correctly, but its disconcerting to the user and annoying.
It appears to reference a Snap-In “Folder” which has been restricted by the Group Policy set as mentioned above (remember all Snap-In’s except for Active Directory Users and Computers are restricted). However, there is no reference to any such Snap-In in the GPO Editor.
Creating a Custom Admin Template
We need to add an entry to the Group Policy that enables this Snap-In. This is done by added a Custom Admin Template that references the Snap-In’s GUID. Assuming you have created and saved an .msc file containing only the Active Directory Users and Computers Snap-In (done via MMC), this can be viewed in a text editor to find the GUID. For further streamlining for pure password reset application, you could create a Custom Taskpad .msc but I won’t go into that here.
There will likely be several GUID references in this file but the important one is
You now need to create a Custom Admin Template to allow this Snap-In. Open a blank text document and copy the following:
CATEGORY “Windows Components”
CATEGORY “Microsoft Management Console”
CATEGORY “Custom Settings”
POLICY “Microsoft Folder Snap-In”
EXPLAIN “Permits or prohibits use of this snap-in.”
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
Save this file with the extension .adm in C:\Windows\inf
In the GPO Editor for the policy in question, navigate through the tree to
Right click on
And add the .adm file you just created.
Now navigate to
——->Microsoft Management Console
There should now be an entry named “Microsoft Folder Snap-In”. Set this to “Enabled”
Re-apply your policy across the network and logging in as a delegated user and launching Active Directory Users and Computers should no longer give an error message.