System Center Essentials Policy Stops Access To Admin Shares
Enabling System Center Essentials Policies made SCE working but we discover that admin shares \\computer\c$ cannot be reached any more.
Disabling these policies everything came back to normal. The SCE SP1 has been installed on Windows Server 2008.
Please advise.
Réponses
- Under System Center Essentials All Computers Policy/Computer Configuration/Network/Network Connections/Windows Firewall/Domain Profile see the following 2 entries:
Windows Firewall: Allow file and printer sharing exception
Windows Firewall: Allow remote administration exception
Both will be locked down to the Essentials Server IP address. This then only allows the Essentials server to access the Admin shares on any machine in the domain, irrelevant if it has an Essentials agent installed or not, even if you're a Domain Admin, irrelevant.
We changed ours from just the Essentials server IP address to the entire network, x.x.x.0 and all worked as it did before Essentials was installed on the domain.
Hope this helps.
PS. Of course Yog Li can access his Essentials server Admin shares. It's the only one in the policy allowed list!
Try connecting to your DC or some other workstation, it won't work until you do the above, and the policy updates.- Proposé comme réponseHittin mardi 30 juin 2009 02:42
- Marqué comme réponseYog Li - MSFTMSFT, Modérateurlundi 6 juillet 2009 09:35
Toutes les réponses
Hello,
After SCE has been installed and configured, two GPOs are created and linked to the domain container:
1. System Center Essentials All Computers Policy. It is for those members of the domain but have not been managed by SCE server.
It enables the following policies under computer configuration:
a. Windows Firewall: All file and printer sharing exception
b. Windows Firewall: Allow remoter administration exception
2. SCE Managed Computers Group Policy(Managment_MG).
It enables the following policies under computer configuration for the update management component:
a. SYSTEM/Error Reporting
Policy: Configure Error Reporting
b. System/Error Reporting/Advanced Error Reporting settings
Policy: Default application reporting settings
Report operating system errors
c. System/Internet Communication Management/ Internet Communication settings.
Policy: Turn off Windows Error Reporting
d. System/Remote Assistance.
Policy: Offer Remote Assistance
e. Windows Components/Windows update
Policy: Allow signed content from intranet Microsoft update service location
Configure Automatic Updates
No policy seems disabled the admin shares. Besides, I can visit my SCE Server by using "\\computer name\C$". What is the policy that you have disabled to resolve this issue? Please tell us more details so we can move on.Thanks,
Yog Li - MSFT- Under System Center Essentials All Computers Policy/Computer Configuration/Network/Network Connections/Windows Firewall/Domain Profile see the following 2 entries:
Windows Firewall: Allow file and printer sharing exception
Windows Firewall: Allow remote administration exception
Both will be locked down to the Essentials Server IP address. This then only allows the Essentials server to access the Admin shares on any machine in the domain, irrelevant if it has an Essentials agent installed or not, even if you're a Domain Admin, irrelevant.
We changed ours from just the Essentials server IP address to the entire network, x.x.x.0 and all worked as it did before Essentials was installed on the domain.
Hope this helps.
PS. Of course Yog Li can access his Essentials server Admin shares. It's the only one in the policy allowed list!
Try connecting to your DC or some other workstation, it won't work until you do the above, and the policy updates.- Proposé comme réponseHittin mardi 30 juin 2009 02:42
- Marqué comme réponseYog Li - MSFTMSFT, Modérateurlundi 6 juillet 2009 09:35
- Hello,
Thanks Hittin for sharing the experience. The solution works in my test environment.
Thanks,
Yog Li - MSFT Hi beat102,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.
In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
Thanks,
Yog Li - MSFT- Beat102, did this resolve your issue? Thanks for the feedback.
- Hey beat did you beat it or did it beat you?
Feedbeat I mean back is always good
