Hi I have setup win server 2003 Enterprise & have also installed AD and DNS on the server, so the server is up and running and the 2 win xp client machines are successfully conected to the server. I have created several OUs and several users in each OU. Logged on as the Administrator on the Domain Controller, I decided to apply some group policies on each of the OU, but when ever I click on new to create a new GPO it reads "Access is denied - You do not have sufficient Permissions to perform this action" I am confused why it is not letting me to do that. Still I went ahead & created a new user and assigned that user all the administrative rights (including Group Policy Object Creator Owner). I then Tried applying some policies by logging on with that user and still no luck. I then Installed the Adminpak on Win xp computer & logged on as the domain controller & tried to apply some policies there but still the same error. I am goofed up now, please help me. Thanks in advance. Naman Naman Jandial

You can use Group Policy to restrict users to a set of snap-ins and administrative tools. Brought to you by AutoProf and Windows & .NET Magazine eBooks Chapter 7 Group Policy FAQs 59 If you can’t run GPE or other administrative tools and you receive the message The snap-in below, referenced in this document, has been restricted by policy. Contact your administrator for details, you need to change your domain’s configuration settings. 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 2. Right-click the domain and select Properties. 3. Select the Group Policies tab. 4. Select the default domain policy and click Edit. 5. Navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console. 6. Double-click Restrict Users to the explicitly permitted list of snap-ins. 7. Select Not configured. You can drill down farther to Restricted/Permitted snap-ins\Group Policy and set Group Policy snap-in to enabled and Administrative Templates (User) to enabled or not configured. On a local computer, you can edit the registry to make these changes. 1. Start regedit.exe. 2. Go to the HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC registry entry. 3. Double-click RestrictToPermittedSnapins. 4. Set to 0 and click OK. 5. Close the registry editor. If you still can’t start the Group Policy snap-in, perform the following additional actions. 1. Start regedit.exe. 2. Go to the HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC registry entry. 3. Change the Restrict_Run value to 0 in the following keys if they exist: {8FC0B734-A0E1-11D1-A7D3-0000F87571E3} (this is the restriction for Group Policy snap-in) {0F6B957E-509E-11D1-A7CC-0000F87571E3} (this is the restriction for the Administrative Templates) 4. Close the registry editor. Deepak Vashistha

Hey Gud News Its working now I removed the OS, reinstalled & immediately added SP1 to it & then installed the AD on it, I then tried configuring policies, it worked like a charm. Naman Naman Jandial

HI, i have same problem, and aslo i have try to do the same work around but in my server there is no MMC registry entry. in the HKEY_CURRENT_USER\Software\Policies\Microsoft so please help me and also there is no Windows Components\Microsoft Management Console in User Configuration\Administrative Templates so please help me... thanks rndxpert