You may also not be able to start any Administrative Tools with the message:
The snapin below, referenced in this document has been restricted by policy. Contact your administrator for details.
<toolname>
When you run Mmc.exe, you can't add some snap-ins.
Your account has been restricted with Group Policy at the domain level, possibly in the Default Domain Group Policy, not permitting you to use the Group Policy snap-in:
Restrict Users to the explicitly permitted list of snap-ins
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console)
This can also happen if either of the following is explicitly disabled:
Group Policy snap-in
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy)
Administrative Templates (User)
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy)
You can temporarily use the Group Policy snap-in by using Regedt32 to navigate to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
Double-click the RestrictToPermittedSnapins value name and change the data value to 0. Exit Regedt32 and try to start Group Policy Editor.
If you still receive the error, set the Restrict_Run data value to 0, if it exists, at:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3\}
and/or
HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\\{0F6B957E-509E-11D1-A7CC-0000F87571E3\}
Exit Regedt32 and try to start Group Policy Editor.
NOTE: The above registry modifications will be changed when Group Policy is reapplied, which is every 5 minutes on a domain controller.
To edit the policy that restricts access to Group Policy Editor, you need access to:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\\{0F6B957E-509E-11D1-A7CC-0000F87571E3\}
and
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3\}
