MMC | Restricting Exchange Server 2007 Snap-in from loading
Introduction
I have seen few cases where customers have felt the need to restrict the access to snap-ins that they feel their front-line Admin or Helpdesk professional should not have. It’s a security concern to them.
We all know that the access to snap-ins can be restricted via group policy settings. By default the snap-ins that are available for administration via GPO are – Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, ADSI edit, ActiveX Control, Certificates, Certification Authority, Certificate Templates, Wireless Monitor, Component Services, Computer Management, Device Manager, Disk Management, Disk Defragmenter, Distributed File System, Event Viewer, Fax Service, FrontPage Server Extensions, Indexing Service, .Net Framework Configuration, Internet Authentication Service (IAS), Internet Information Services, IP Security Policy Management, IP Security Monitor, Link to Web Address, Local Users and Groups, Performance Logs and Alerts, QoS Admission Control, Remote Desktops, Removable Storage Management, Routing and Remote Access, Security Configuration and Analysis, Security Templates, Services, Shared Folders, System Information, Telephony, Terminal Services Configuration, WMI Control. In addition to these, we have few Extension Snap-ins such as AppleTalk Routing,Authorization Manager, Certification Authority Policy Settings, Connection Sharing (NAT), DCOM Configuration Extension, Device Manager, DHCP Relay Management, Event Viewer, Extended View (Web View), IAS Logging, IGMP Routing, IP Routing, IPX RIP Routing, IPX Routing, IPX SAP Routing, Logical and Mapped Drives, OSPF Routing, Public Key Policies, RAS Dialin - User Node, Remote Access, Removable Storage, RIP Routing, Routing, Shared Folders Ext, Send Console Message, Service Dependencies, SMTP Protocol, SNMP, System Properties.
But, if you notice, we don’t have for all applications that are used. Say, for example, Exchange Server 2007 MMC or Public Folder Management Console MMC etc. And, there are no ADM templates either of all the applications. Then, how do we go about managing access to those snap-ins?
There is a way that most of the experienced Admins might be aware of, but it’s not documented properly. And, that led me to blog this information.
First Step
To restrict access to a snap-in or file or a process or a service we need to know the associated registry key. Once that is done the task becomes moderately easy!
As I want to restrict access to the Exchange Management Console snap-in, I need to identify the corresponding registry key for Exchange Management Console.
The registry keys for all snap-ins that are installed/available on the box is at the location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns
On my Windows 2008 box (that has just Exchange Server 2007 and Windows Support tools), there are close to 100 entries. To identify the one that’s for Exchange Management Console, I have to look under each one manually (that’s pain, I have not been able to find out a quicker way yet) and keep my eye focused on the REG_SZ entry with the name NameString. This entry is the tag of the snap-in that’s associated with that particular registry key.
For Exchange Management Console the registry key is FX:{76dd58f7-54ba-42e3-a2e0-dbf4b674539f}
Similarly, for the Public Folder Management Console, the registry key is FX:{7a7e61b7-e5c8-4d65-904e-f26589b6c1e3}. You can scan for other snap-ins that you want.
Second Step
Create a custom ADM template. The process is quite simple. Refer the KB https://support.microsoft.com/kb/323639 under the section How to Create an Administrative Template.
For creating adm template for Exchange Management Console, I type in the following lines in a text file and save it as a .adm file.
CLASS USER
CATEGORY Software\Policies\Microsoft\MMC
POLICY FX:{76dd58f7-54ba-42e3-a2e0-dbf4b674539f}
KEYNAME Software\Policies\Microsoft\MMC\FX:{76dd58f7-54ba-42e3-a2e0-dbf4b674539f}
PART Restrict_Run NUMERIC
VALUENAME "Restrict_Run"
END PART
END POLICY
END CATEGORY
The file is saved as ExchangeManagementConsole.adm
Third Step
Now, we need to import the custom adm template created in the previous step, in the Group Policy Management Editor and do the changes accordingly. The steps are:
1. Launch Group Policy Management console on the Server.
2. Locate the Default Domain Policy Group Policy Object and do a right-click on it and choose Edit from the context menu. It will open the Group Policy Management Editor.
3. Expand User Configuration,, Policies and locate Administrative Templates: Policy definitions (ADMX files) retrieve from the local machine. and right-click on it and choose Add/Remove Templates from the context menu. Click on the Add button and add the custom adm template
ExchangeManagementConsole.adm (I hope you recall, where you saved it after creating it.)
4. Once you are done with adding the template, it will appear under Classic Administrative Templates (ADM) under Administrative Templates: Policy definitions (ADMX files) retrieve from the local machine.
5. It will appear as Software\Policies\Microsoft\MMC, and in the right pane you’ll see it with the name FX:{76dd58f7-54ba-42e3-a2e0-dbf4b674539f}
6. Double-click on FX:{76dd58f7-54ba-42e3-a2e0-dbf4b674539f}, and select the radio button for Enabled and for the Restrict_Run attribute set the value to 1.
Fourth Step
Go ahead and run the command gpupdate /force to make the change effective immediately.
Now, if you try to launch the Exchange Server 2007 MMC, [Start | Programs | Microsoft Exchange Server 2007 | Exchange Management Console] you’ll get the following error:
And, if you try to add it through MMC [File | Add or Remove Snap-ins], the snap-in (as expected) should not appear there.
Note:
1. This applies to Exchange Server 2007 MMC only.
2. The policy is being applied at Domain level. It can be done at OU level as well.
The same procedure can be followed to restrict access to any snap-in. I hope you find it useful.