Local Policy vs. Group Policy

Article
06/15/2010

For System Center Essentials to correctly interoperate with other components running on Microsoft Windows operating systems, some changes must be made to the Essentials 2007 management server, all managed computers, and any remote computer running an Essentials 2007 component such as a remote console or remote database. How these changes are made is determined by whether you can log on to these computers using either Domain Administrator or Group Policy Administrator credentials.

Group Policy

If you can log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials 2007, any computers running Essentials 2007 components or agents are configured automatically.

Selecting the Group Policy option directs Essentials 2007 to make the following changes to the domain:

An Active Directory group is created.
The Essentials 2007 Management Server is added to the Active Directory group.
Two Group Policy objects (GPOs) are created.
- One GPO is targeted at ‘All Computers’ Active Directory group and contains both the Secure Socket Layer (SSL) and Windows Server Update Services (WSUS) certificates and Windows Firewall settings.
- The other GPO is specifically targeted at Essentials 2007 managed computers. This GPO is applied to the Active Directory group created by Essentials 2007, and contains settings related to WSUS, Agentless Exception Monitoring (AEM), and Remote Assistance.
A domain-level object, System Center Essentials Managed Computers (Active Directory computer group), is created.
A domain-level object, SCE Managed Computers Group Policy, is created and added to the Access Control List (ACL) of the System Center Essentials Managed Computers group.
A domain-level object, System Center Essentials All Computers Policy, is created. This object's Group Policy applies to computers in the domain.

In addition, selecting the Group Policy option directs Essentials 2007 to make the changes described in the following table.

On the Management Server	On managed computers
Essentials 2007 checks whether the SSL certificate has been configured on the WSUS Web site. Essentials 2007 creates and configures a new certificate if it is not present. Essentials 2007 checks whether the WSUS certificate is already configured on the Management Server. Essentials 2007 creates and configures a new certificate is it is not present. For Agentless Exception Monitoring, a file share is created and an ACL is created to give write access to the Domain and to Domain Users. For Agentless Exception Monitoring, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for WSUS Web site. Further, SSL and WindowsAuth are enabled for the port. Proxy information is set on both the WSUS server and on the Essentials 2007 Management Server.	None (managed computers receive all the required settings through Group Policy) Note When a computer is added to the Active Directory group, a task is performed automatically that refreshes the computer's group membership.

Essentials 2007 checks whether the SSL certificate has been configured on the WSUS Web site. Essentials 2007 creates and configures a new certificate if it is not present.
Essentials 2007 checks whether the WSUS certificate is already configured on the Management Server. Essentials 2007 creates and configures a new certificate is it is not present.
For Agentless Exception Monitoring, a file share is created and an ACL is created to give write access to the Domain and to Domain Users.
For Agentless Exception Monitoring, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for WSUS Web site. Further, SSL and WindowsAuth are enabled for the port.
Proxy information is set on both the WSUS server and on the Essentials 2007 Management Server.

None (managed computers receive all the required settings through Group Policy)

Note

When a computer is added to the Active Directory group, a task is performed automatically that refreshes the computer's group membership.

Local Policy

If you cannot log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials 2007, use local policy. If Windows Firewall or another vendor's firewall product is used on computers in your environment, you must create firewall exceptions on the Essentials 2007 Management Server and on managed computers. Also, you must import two certificates on any computer on which you installed a remote Essentials 2007 console. For more information, see How to Install a Remote Essentials 2007 Console.

Selecting the Local Policy option directs Essentials 2007 to make the changes described in the following table.

On the Management Server	On managed computers
Essentials 2007 checks whether the SSL certificate has been configured on the WSUS Web site. Essentials 2007 creates and configures a new certificate if it is not present. Essentials 2007 checks whether the WSUS certificate is already configured on the Management Server. Essentials 2007 creates and configures a new certificate is it is not present. For Agentless Exception Monitoring, a file share is created and an ACL is created to give write access to the Domain and to Domain Users. For Agentless Exception Monitoring, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for WSUS Web site. Further, SSL and WindowsAuth are enabled for the port. Proxy information is set on both the WSUS server and on the Essentials 2007 Management Server. The following certificates are exported to the <EssentialsFolder>\Certificates folder: WSUSCodeSigning.cer WSUSSSL.cer The SCE_ConfigureAgentCertPolicy rule in the SCE Management Pack gets enabled. The Essentials 2007 Management Server name and AEM file share property values are set for the ‘LocalPolicyConfig’ rule.	When the agent is installed, the SCE_ConfigureAgentCertPolicy rule in the SCE Management Pack runs and configures the machine.

Essentials 2007 checks whether the SSL certificate has been configured on the WSUS Web site. Essentials 2007 creates and configures a new certificate if it is not present.
Essentials 2007 checks whether the WSUS certificate is already configured on the Management Server. Essentials 2007 creates and configures a new certificate is it is not present.
For Agentless Exception Monitoring, a file share is created and an ACL is created to give write access to the Domain and to Domain Users.
For Agentless Exception Monitoring, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for WSUS Web site. Further, SSL and WindowsAuth are enabled for the port.
Proxy information is set on both the WSUS server and on the Essentials 2007 Management Server.
The following certificates are exported to the <EssentialsFolder>\Certificates folder:
- WSUSCodeSigning.cer
- WSUSSSL.cer
The SCE_ConfigureAgentCertPolicy rule in the SCE Management Pack gets enabled.
The Essentials 2007 Management Server name and AEM file share property values are set for the ‘LocalPolicyConfig’ rule.

When the agent is installed, the SCE_ConfigureAgentCertPolicy rule in the SCE Management Pack runs and configures the machine.

Share via

Local Policy vs. Group Policy

Group Policy

Local Policy

See Also

Tasks

Concepts

Additional resources