Any way to restrict access to Hyper-V Administrator snap-in via GPO?
Solution 1:
You can edit administrative template file "C:\Windows\PolicyDefinitions\MMCSnapins.admx"
and see what is changed if you enable any of the settings in that GPO section. It'll show you that it's using the ID of the snap-in and the value Restrict_Run
with a value of 1
.
- Google for "mmc snap-in registry location"
- Open regedit and go to HKEY_LOCAL_MACHINE\Software\Microsoft\MMC\Snapins
- Install Hyper-V Management Tool and check the new snap-in's ID in this location
- If snap-in is already installed, just browse the keys and find related snap-in and its ID
Now you know your snap-in's ID, you need to use it in GPO. There are couple of ways to do that.
You can edit the administrative template file ("C:\Windows\PolicyDefinitions\MMCSnapins.admx"
) you used before and add a new policy section with Hyper-V snap-in's ID, or, you can use admx file to see what is modified in registry when you change that Group Policy setting and deploy correct settings with GP preferences.
Instead, I just changed one of the settings using gpedit.msc , opened "C:\Windows\System32\GroupPolicy\User\Registry.pol"
in notepad to see what it changed, opened regedit and added the new key with snap-in's ID and value.
After testing to see if it worked, you can export it and deploy it using GP preferences.
SOFTWARE\Policies\Microsoft\MMC\FX:{922180d7-b74e-45f6-8c74-4b560cc100a5}
"Restrict_Run"=dword:00000001