Is there anyway to disable MMC on the user level?? Yet still allowing administrators access to MMC. Our servers are Windows NT 4.0 and we use Windows 2000 Professional for the workstations. We are currently using Windows 2000 Group Policies and local system policies via NT 4.0 sysedit.exe.

I'm curious as to how you have implemented W2K Group Policy using NT servers? I thought Group Policies to be a function of a W2K Domain.

Mike, each Windows 2000 machine can use a set of local Group Policies that only affect the users on that specific machine. As for disabling them... I'd check the User Rights and Permissions in the Group Policy. You might be able to set it so the users can't make any changes unless they're Administrators. I haven't had to worry about turning them off on individual machines, so not much help there....

Lucid, I understand that there are "Local Policies" that can be applied to an individual 2000 Professional Machine. These can be found under "Local Security Policy" accessed from Administrative Tools | Local Security Policy. These settings are not, to my knowledge, "Group Policy" settings nor what is meant by "Group Policy" in a W2K environment. If I'm wrong, I stand corrected and would sincerely appreciate the appropriate clarification. Please know I'm not trying to play a game of semantics. What the original post was asking can fairly easily be done through Group Policy in a W2K Domain environment. I'm not sure it can be done through "Local Security Policy". If it can, I'm not sure how and would again appreciate clarification. If the person was looking to configure one while thinking it was the other, I thought it might be helpful to find that out. I could have been more clear in my original post...I thought they might respond with more detail. With Peace...

Mike, No biggie, just pointing out that that's probably what they were using. And as far as I know they are BOTH called Group Policy. One is just on the workstation so it's a local and the other would be the OU. Same names though, least as far as I know...

We aren't using W2K Server, we are using NT 4.0.

See if this helps: Group Policy - Local Machine Only - Administrator Exempt MAKE SURE YOU HAVE CONFIGURED THE NTUSER.POL PERMISSIONS PROPERLY (SEE BELOW **) BEFORE YOU LOG OFF OR REBOOT THE MACHINE YOU ARE CONFIGURING OR YOU MAY FIND YOU'VE LOCKED YOURSELF OUT OF AN AREA YOU NEED TO GO....THE ADMINISTRATOR ACCOUNT IS NOT EXEMPT FROM THESE SETTINGS UNTIL THEN. From each local machine you wish to configure do the following: Load "Group Policy" snap-in from MMC - or from the Run Command type gpedit.msc. Find the following: User Configuration Administrative Templates | Windows Components | click Microsoft Management and Enable "Restrict users to the explicitly permitted list of snap-ins" Add any you want them to use or restrict all by adding none. Under User Configuration | Administrative Templates | click System and enable "Don't run specified Windows Applications" and add mcc.exe to the list. (if there are other applications you wish to disallow you can add them here also). The Run command won't load mmc.exe and neither will the address bar, however, any user could still start mmc.exe from the Command Prompt so from this same screen you may want to enable "Disable the command prompt" to prevent that action. Once you have the the policies configured as you like you need to do the following to prevent their applying to the Administrator Account. **With file options set in Windows Explorer to allow the showing of hidden and system files find the "ntuser.pol" file in Documents and Settings\ Administrator. From the security tab of the Properties of ntuser.pol make sure the Everyone Group has ALLOW FULL CONTROL and add the ADMINISTRSTORS LOCAL GROUP (not the "Administrators account" but the "Administrators Built in local Group" account...this is important.) - THEN give the Administrators Local Group the DENY READ permission. These two groups are all you need. This will prevent the ntuser.pol from being read and therefore the policies won't apply. This configuration will also result in an error message in Event Viewer in the Application Log stating that the file can't be read. By default this will occur every five minutes as policy is refreshed so you may want to ENABLE the "Group Policy Refresh Interval for users" policy and set the refresh interval accordingly. This is done through the group policy itself and is found at User Configuration | Administrative Templates | System | Group Policy I hope this is the answer you were looking for. PS...I believe you could configure and test one machine and once convinced it's as you want it from that machine copy the %Systemroot%\System32\GroupPolicy folder to the %Systemroot%\System32\GroupPolicy folder of the other machines rather than configuring each Local Machine's Group Policies separately saving you some time...I've not tried this myself but would think it could work. You will still have to configure the permissions on the ntuser.pol file on each indivdual machine. Feel free to e-mail me. With peace, Mike