This error may occur when using a Group Policy that restricts access to the MMC (Microsoft Management Console) and allows access to only explicitly defined snap-ins. In this case, it is when allowing only “Active Directory Users and Computers” for a particular user group.
This is essential if you are looking to delegate control of users within an OU to a different group of select logins to allow others to perform basics tasks like changing passwords without needing the domain administrator account.
The Snap-In required is “Active Directory Users and Computers”. This would be set to “Enabled” along with the main policy to restrict all other snap-ins allowing the specified users access to the Active Directory structure and the group/users they are controlling.
Attempting to login as a user delegated to perform password resets and attempting to launch the required snap-in as a restricted user may result in the following error:
The snap-in below, referenced in this document has been restricted by policy. Contact your administrator for details. Folder.
Clicking past this error message will result in the Snap-In loading and functioning correctly, but its disconcerting to the user and annoying.
It appears to reference a Snap-In “Folder” which has been restricted by the Group Policy set as mentioned above (remember all Snap-In’s except for Active Directory Users and Computers are restricted). However, there is no reference to any such Snap-In in the GPO Editor.
Creating a Custom Admin Template
We need to add an entry to the Group Policy that enables this Snap-In. This is done by added a Custom Admin Template that references the Snap-In’s GUID. Assuming you have created and saved an .msc file containing only the Active Directory Users and Computers Snap-In (done via MMC), this can be viewed in a text editor to find the GUID. For further streamlining for pure password reset application, you could create a Custom Taskpad .msc but I won’t go into that here.
There will likely be several GUID references in this file but the important one is
{C96401CC-0E17-11D3-885B-00C04F72C717}
You now need to create a Custom Admin Template to allow this Snap-In. Open a blank text document and copy the following:
CLASS USER
CLASS USER
CATEGORY “Windows Components”
CATEGORY “Microsoft Management Console”
CATEGORY “Custom Settings”
POLICY “Microsoft Folder Snap-In”
KEYNAME “Software\Policies\Microsoft\MMC\{C96401CC-0E17-11D3-885B-00C04F72C717}”
EXPLAIN “Permits or prohibits use of this snap-in.”
VALUENAME “Restrict_Run”
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
END CATEGORY
END CATEGORY
END CATEGORY
Save this file with the extension .adm in C:\Windows\inf
In the GPO Editor for the policy in question, navigate through the tree to
User Configuration
Right click on
Administrative Templates
And add the .adm file you just created.
Now navigate to
User Configuration
—>Windows Components
——->Microsoft Management Console
———–>Custom Settings
There should now be an entry named “Microsoft Folder Snap-In”. Set this to “Enabled”
Re-apply your policy across the network and logging in as a delegated user and launching Active Directory Users and Computers should no longer give an error message.