Поделиться через


Configuring Configuration Manager Client Local Policy

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Because agent policy settings apply on a site-wide basis, in Microsoft System Center Configuration Manager 2007, it is sometimes useful to configure a custom Configuration Manager 2007 policy on a local, per-client basis. Local policy settings can be added by compiling a Managed Object Format (MOF) file or programmatically through Windows Management Instrumentation (WMI). A custom local Configuration Manager 2007 policy can override a full instance or individual properties within an instance.

You need to be a local administrator to configure a local client policy.

Configuration by Using a MOF File

You can use a MOF file to define a new policy instance. The existing instances of the same class are not overwritten when you compile the new MOF file. During the evaluation of the policy, the settings have to be combined. For this process, it is important whether the policy instance is a complete policy or only a partial policy. A complete policy will not be merged with other policies from other sources, and a partial policy will be merged. A partial policy has the qualifier [CCM_Policy_PartialPolicy(true)] set for the instance. For each property that is set by a partial policy, you can specify whether it overwrites existing values for the same property. A property that can overwrite existing values has the qualifier [ccm_policy_override(TRUE)] set. Each policy instance has a source. For the policies coming from a management point, this is "SMS:<sitecode>". The source "local" designates a local policy, compiled on the client directly. By default, local policies override management point policies.

Note

New policy is not applied until the client has completed a policy evaluation cycle. This is invoked automatically within two minutes after the client has retrieved new policy from the management point. Similarly, if local policy is applied to the client, it does not take effect until a policy evaluation cycle has taken place. If this is required sooner than the client's scheduled policy retrieval interval, the policy evaluation can be invoked by using the client Control Panel applet or programmatically by using the CPApplet client action for "Machine Policy Retrieval & Evaluation Cycle". For more information, see How to Run a Configuration Manager Client Action.

Management Point Instance

The following example is an instance of the RemoteToolsConfig class as found on a management point (XXX as indicated by PolicySource). Note that the PermissionRequired property has been set to 1. Each client that uses this management point will, as a site-wide policy setting, have this policy property value applied for PermissionRequired.

Syntax

instance of CCM_RemoteToolsConfig
{
    PolicyID = "{GUID value}";
    PolicyVersion = "x";
    PolicySource = "SMS:XXX";
    PolicyRuleID = "{GUID Value}";
    PolicyInstanceID = "{GUID value}";
    Enabled = TRUE;
    ComponentName = "SmsRemoteTools";
    Type = 1;
    RemoteToolsEnabled = TRUE;
    AllowChat = TRUE;
    AllowClientChange = FALSE;
    AllowFileTransfer = TRUE;
    AllowReboot = TRUE;
    AllowRemoteExecute = TRUE;
    AllowTakeover = TRUE;
    AllowViewConfiguration = TRUE;
    AlwaysVisible = FALSE;
    AudibleSignal = TRUE;
    CompressionType = 2;
    ControlLevel = 2;
    DefaultProtocol = "TCP/IP";
    IndicatorType = 0;
    PermissionRequired = 1;
    UseIDIS = TRUE;
    VisibleSignal = TRUE;
    DisableToolsOnXP = TRUE;
    ManageRA = TRUE;
    EnableRA = TRUE;
    AllowRAUnsolicitedView = TRUE;
    AllowRAUnsolicitedControl = TRUE;
    ManageTS = FALSE;
    EnableTS = FALSE;
    EnforceRAandTSSettings = TRUE;
    PermittedViewers = NULL;
};

Overriding the PermissionRequired Property on a Local Client

To set a local value for the PermissionRequired (uint32) property only and to keep all other properties as set by the management point policy, create a MOF file (rc_settings.mof) with the following entries.

Syntax

#pragma namespace("\\\\.\\root\\ccm\\policy\\machine\\requestedconfig")
[CCM_Policy_PartialPolicy(true)] 

instance of CCM_RemoteToolsConfig

{
// Header properties
    PolicyID = "1"; 
    PolicySource = "local";
    PolicyVersion = "1";
    PolicyRuleID = "1";
    PolicyInstanceID = "1";

    Type = 1;

// Data properties
[CCM_Policy_Override(TRUE)]

    PermissionRequired = 0; 
};

Remarks

  • PolicySource is set as "local", which indicates that the MOF file entries apply only to the local client computer. This is the only supported value.

  • The key properties for the class are required in the local MOF file. The key property values are assigned by you to identify the class on the client.

  • The required property, PermissionRequired, is coded and assigned to the desired local value (0).

  • To remove a local policy, either change the MOF file definition to set ccm_policy_override to false for partial instances, or delete the entire instance by using the key properties. Deletion of the instance will have to be done through wbemtest or a similar application, or programmatically by using WMI.

The qualifier [CCM_Policy_PartialPolicy(true)] defines this policy as a partial policy, which means all other properties are unchanged. This results in only PermissionRequired being changed locally, and all others are left according to the management point policy settings.

The qualifier [ccm_policy_override(TRUE)] for the property means that the current value is actually overwritten. If set to false or left out, the value coming from the management point is left unchanged.

Compiling the MOF File

Compile the previously created MOF file (rc_settings.mof) on each client that is to locally override the PermissionRequired property. To do this, use the Mofcomp utility with the following command line.

Syntax

mofcomp.exe rc_settings.mof

Overriding the Complete Remote Tools Setting on a Local Configuration Manager Client

To set all values and disable the management point policy, create a MOF file (rc_settings.mof) with the following entries.

#pragma namespace("\\\\.\\root\\ccm\\policy\\machine\\requestedconfig")

instance of CCM_RemoteToolsConfig
{
// Header properties
    PolicyID = "1"; 
    PolicySource = "local";
    PolicyVersion = "1";
    PolicyRuleID = "1";
    PolicyInstanceID = "1";
    Type = 1;
    PermissionRequired = 0;
};

Note

The qualifier [CCM_Policy_PartialPolicy(true)] is now missing. This results in only PermissionRequired being set; all others are left at the default values. The management point settings are ignored.

Note

The key properties for the class are required in the local MOF file. The key property values are assigned by you to identify the class on the client.

See Also

Concepts

About Configuration Manager Local Policy
Controlling Local Policy