html
When applying a Group Policy Object (GPO) that restricts Microsoft Management Console (MMC) snap-in creation, Remote Desktop users often encounter the error "MMC could not create the snap-in" during login. This occurs because Server Manager attempts to auto-start but fails due to the MMC restriction. The typical solution—unchecking "Do not start Server Manager automatically at logon" in Server Manager's GUI—is impossible since affected users cannot access MMC.
The auto-start behavior is controlled by a registry key. We can deploy this setting via GPO Preferences:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\ServerManager]
"DoNotOpenServerManagerAtLogon"=dword:00000001
Create a new GPO or modify an existing one with these steps:
- Open Group Policy Management Console (gpmc.msc)
- Navigate to:
User Configuration > Preferences > Windows Settings > Registry - Right-click and select New > Registry Item
- Configure with these values:
- Action: Update
- Hive: HKEY_CURRENT_USER
- Key Path: Software\Microsoft\ServerManager
- Value name: DoNotOpenServerManagerAtLogon
- Value type: REG_DWORD
- Value data: 1
For environments using PowerShell for configuration management:
# Applies to current user
Set-ItemProperty -Path "HKCU:\Software\Microsoft\ServerManager" -Name "DoNotOpenServerManagerAtLogon" -Value 1 -Type DWord
# For all users (run during login script)
$AllUsers = Get-WmiObject -Class Win32_UserProfile | Where-Object {!$_.Special}
foreach ($user in $AllUsers) {
$RegPath = "Registry::HKEY_USERS\$($user.SID)\Software\Microsoft\ServerManager"
if (Test-Path $RegPath) {
Set-ItemProperty -Path $RegPath -Name "DoNotOpenServerManagerAtLogon" -Value 1 -Type DWord
}
}
After implementation:
- Have users log out and back in
- Check the registry value exists with correct data
- If issues persist, enable GPO logging with:
gpresult /h gpreport.html
Remember that:
- This setting is user-specific, not machine-wide
- The GPO must apply to the correct Organizational Unit
- For terminal servers, consider using loopback processing mode
When implementing Group Policy Objects (GPO) that restrict Microsoft Management Console (MMC) snap-ins, administrators often encounter an undesirable side effect: Remote Desktop users receive "MMC could not create the snap-in" errors during login when Server Manager attempts to auto-start.
The conventional approach of unchecking "Do not start Server Manager automatically at logon" in Server Manager's GUI becomes impossible because:
- The MMC restriction prevents accessing this setting through the standard interface
- Manually configuring this setting per user isn't scalable
Server Manager's auto-start behavior is controlled by a registry value. We can implement this through Group Policy Preferences:
Windows Registry
Path: HKEY_CURRENT_USER\Software\Microsoft\ServerManager
Value Name: DoNotOpenServerManagerAtLogon
Value Type: REG_DWORD
Value Data: 1
Create or modify a GPO that applies to your target users:
- Open Group Policy Management Console
- Navigate to: User Configuration → Preferences → Windows Settings → Registry
- Right-click and select New → Registry Item
- Configure with the values shown above
For environments where registry preferences aren't available, deploy via logon script:
# Disable Server Manager auto-start
$regPath = "HKCU:\Software\Microsoft\ServerManager"
If (-Not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name "DoNotOpenServerManagerAtLogon" -Value 1 -Type DWord
After implementation, verify the setting by:
- Connecting as a target user via RDP
- Checking registry value existence and correctness
- Confirming Server Manager doesn't auto-start
- This setting applies per-user, not system-wide
- Combine with other Server Manager restrictions if needed
- Test thoroughly in non-production environments first