Active Directory: Microsoft Folder Snap-In Error


This error may occur when using a Group Policy that restricts access to the MMC (Microsoft Management Console) and allows access to only explicitly defined snap-ins. In this case, it is when allowing only “Active Directory Users and Computers” for a particular user group.

This is essential if you are looking to delegate control of users within an OU to a different group of select logins to allow others to perform basics tasks like changing passwords without needing the domain administrator account.

The Snap-In required is “Active Directory Users and Computers”. This would be set to “Enabled”  along with the main policy to restrict all other snap-ins allowing the specified users access to the Active Directory structure and the group/users they are controlling.

Attempting to login as a user delegated to perform password resets and attempting to launch the required snap-in as a restricted user may result in the following error:

The snap-in below, referenced in this document has been restricted by policy. Contact your administrator for details. Folder.

Clicking past this error message will result in the Snap-In loading and functioning correctly, but its disconcerting to the user and annoying.

It appears to reference a Snap-In “Folder” which has been restricted by the Group Policy set as mentioned above (remember all Snap-In’s except for Active Directory Users and Computers are restricted). However, there is no reference to any such Snap-In in the GPO Editor.

Creating a Custom Admin Template

We need to add an entry to the Group Policy that enables this Snap-In. This is done by added a Custom Admin Template that references the Snap-In’s GUID. Assuming you have created and saved an .msc file containing only the Active Directory Users and Computers Snap-In (done via MMC), this can be viewed in a text editor to find the GUID. For further streamlining for pure password reset application, you could create a Custom Taskpad .msc but I won’t go into that here.

There will likely be several GUID references in this file but the important one is

{C96401CC-0E17-11D3-885B-00C04F72C717}

You now need to create a Custom Admin Template to allow this Snap-In. Open a blank text document and copy the following:

CLASS USER
CLASS USER
CATEGORY “Windows Components”
CATEGORY “Microsoft Management Console”
CATEGORY “Custom Settings”
POLICY “Microsoft Folder Snap-In”
KEYNAME “Software\Policies\Microsoft\MMC\{C96401CC-0E17-11D3-885B-00C04F72C717}”
EXPLAIN “Permits or prohibits use of this snap-in.”
VALUENAME “Restrict_Run”
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
END CATEGORY
END CATEGORY
END CATEGORY

Save this file with the extension .adm in C:\Windows\inf

In the GPO Editor for the policy in question, navigate through the tree to

User Configuration

Right click on

Administrative Templates

And add the .adm file you just created.

Now navigate to

User Configuration
—>Windows Components
——->Microsoft Management Console
———–>Custom Settings

There should now be an entry named “Microsoft Folder Snap-In”. Set this to “Enabled”

Re-apply your policy across the network and logging in as a delegated user and launching Active Directory Users and Computers should no longer give an error message.


4 comments

  1. Thanks for the useful article.

    Just a quick note for anyone else having the same problem that I did – when copying the admin template from the webpage into notepad I ended up with the wrong type of quotation marks in notepad, which ment I kept getting errors when loading it into gpedit until I fixed them.

    1. Thanks for the heads up – I have now fixed this: copying the admin template now gives the correct quotation marks in a text editor :)

  2. Thanks a mill – works perfectly!!!

    I’m locking down the desktops on terminal servers, and only need the users to be able to open the Services mmc console. I was getting the same error, but the snap-in worked.

    This got rid of the error message.

Leave a Reply