Known Issue: The Change IP Wizard Does Not Update System Center Essentials Group Policy Objects in Windows Essential Business Server

  • Article

Applies To: Windows Essential Business Server

This article applies to the following operating system:

  • Windows® Essential Business Server (Windows EBS)°2008

Symptoms

The Change IP Address Settings Wizard in Windows EBS 2008 Management Server does not update the following System Center Essentials Group Policy objects:

  • SCE Managed Computers Group Policy

  • System Center Essentials All Computers Policy

As a result, the following actions are affected and they could potentially fail:

  • Deploying the System Center Essentials agent on new computers

  • Obtaining the proper access for connecting System Center Essentials to managed computers

Background

When Windows EBS 2008 Management Server is configured, the Managed Computers Group Policy and the All Computers Group Policy should be configured when you deploy System Center Essentials.

  • SCE Managed Computers Group Policy. This policy defines firewall exceptions that apply to members of the System Center Essentials Managed Computers group. This policy defines which computers can access Remote Desktop. By default, only the IP address of Management Server is included.

  • System Center Essentials All Computers Policy. This policy, which applies to all computers in the domain, defines firewall exceptions based on the IP address of Management Server. Firewall settings that are defined by this policy affect which computers can access shared resources, and they enable administrators to remotely manage the computer where the policy is applied (by default, Management Server).

Resolution

After you complete the Change IP Address Settings Wizard, follow these procedures to manually update the Group Policy objects with the correct IP address for Management Server.

To update Managed Computers Group Policy

  1. On Management Server, click Start, click Run, type gpmc.msc, and then click OK.

  2. Expand the Active Directory® forest, expand Domains, and then expand your domain.

  3. Right-click SCE Managed Computers Group Policy (MGMT_MG), where MGMT is the name of Management Server, and then click Edit.

  4. Expand Computer Configuration, expand Policies, expand Administrative templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

  5. Right-click Windows Firewall: Allow inbound Remote Desktop exceptions, and then click Edit.

  6. Type the IP address of Management Server, and then click OK.

    Note

    If you are allowing Remote Desktop Protocol (RDP) or Remote Web Workplace (RWW) connections from the Internet, consider changing this policy to allow a greater range of exceptions. Otherwise, this policy may cause conflicts.

To update All Computers Group Policy

  1. On Management Server, click Start, click Run, type gpmc.msc, and then click OK.

  2. Expand the Active Directory forest, expand Domains, and then expand your domain.

  3. Right-click System Center Essentials All Computers Policy, and then click Edit.

  4. Expand Computer Configuration, expand Policies, expand Administrative templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

  5. Edit the following values with the new IP address of Management Server:

    • Windows Firewall: Allow inbound file and printer sharing exception

    • Windows Firewall: Allow inbound remote administration exception

    Note

    Be aware that these policies may be too restrictive for your environment. For example, in this case, only Management Server would be able to access shared resources on other computers.