This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 28.999999999999996%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hi,
Current: Domain user can launch MMC console on their computer, select remote server A, select and use MMC snap-ins to work on the remote server A.
Goal: I want to block MMC on the remote server A so that if a domain user launch MMC console on their computer, select remote server A and then select MMC snap-ins, domain users will be notified that restriction is in place or access is denied.
Domain administrator should be able to launch MMC console from remote server B, select remote server A, select and use MMC snap-ins to work on the remote server A.
Domain user should be able to use MMC snap-ins on their own computer. 
Please i will appreciate any help and guide.
Thank you
What snap-in (or WMI query) are you really trying to block? Since the Domain User does not have administrator rights, they will not be able to make any changes that the Domain Admin would be able to make. The user is already limited as to what they can do.
Will the Domain User access network shares or web sites on Server A?
Are all 3 machines on the same or different subnets? (Can you block access by IP address?)
This is what i want to achieve:
Scenario
1.On server A, Domain admin disable Services snap-ins under Restricted/Permitted snap-ins
2. On server A, Domain admin launch mmc console and could not access Services snap-ins because it is disabled
3. Domain user login to a workstation on the same network and same domain as server A
4. Domain user launch mmc console on the workstation, select server A as the computer to manage and select Services as the snap-ins to manage on server A
5, Domain user was able to launch Services snap-ins on server A remotely and was able modify Services snap-in on server A (despite that it is restricted and disabled on server A)
If I restrict a snap-in on server A and anyone that login to server A locally is restricted from using that snap-in on server. I also want the restriction to affect anyone that is using mmc console to remotely connect to server A not to be able to use a restricted snap-ins on the server A.
Thank you
Domain user was able to launch Services snap-ins on server A remotely and was able modify Services snap-in on server A (despite that it is restricted and disabled on server A)
From my understanding, Server A is does not see a remote snap-in. It sees an RPC/DCOM/WMI call to query services.
I would suggest that you NOT focus on snap-in's. Instead focus on the functionality that you wish to prevent. Even if you could block the snap-in, the user could probably use a Powershell command or WMIC call to query the resource.
What functionality are you trying to block? Enumerating the names of services on Server A?
All the systems are on same subnet. I want to block snap-ins like services, disk management, device management and bunch of them
Since the user does not have Administrator authority on the server, most of the snapin's are not going to function anyway.
I ran compmgmt.msc with a standard user and connected to a test VM that I have. Win10 to Win10.
Nothing worked. About the only thing that I could see was the names of the event logs. I could not read any events.
But your server might be configured differently. Have you tested access from a client? You may be trying to fix a problem that you don't have.
One way to stop MMC is to define a firewall rule that blocks all outbound connections on non-admin desktops.
As I noted in prior post, this will not stop the user from executing a Powershell command to query remote resources that they have access to.
And if the user has admin access on their own desktop, they can just temporarily turn off the firewall to bypass that rule. So you would need to lock down the desktop further with Active Directory group policy.
This approach will work
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 57.99999999999999%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECF%3C/text%3E%3C/svg%3E)
Hi,
Please refer to the information in the link below:
Restrict remote mmc
https://stackoverflow.com/questions/22485479/restrict-windows-server-2008-r2-remote-mmc
You may could disable the setting Restrict users to the explicitly permitted list of snap-ins in GPO.
If you disable this setting, all snap-ins are permitted. Then you could disable the snap-in which you want to disable under the path User Configuration/Administrative Templates/Windows Components/Microsoft Management Console.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl
