locked
Re-deploying a policy to three servers that already have a policy RRS feed

  • Question

  • Hello Everyone,

    I have a question that hopefully you can help me out with. We have three servers with a policy deployed to them and we would like a different policy applied to just them. The issue is the policy they have applied is also applied to all of our other servers, so I cannot just undeploy that policy and have it go off all the other servers. So my questions is this. What is the best way to just change the policy on these three servers? Only thing I would be changing is the full scan time and the exclustions, being they are Exchange servers.

    I thought about creating a policy based on a .reg file, but I don't know if I can just "overwrite" the settings already on these 3 servers using that. I also thought about just manually changing those settings on these three servers, but even under an Administrator account I cannot change any of the settings. Any info or advice would be great, the scans on these are taking upwards of 8 to 10 hours and causing issues for our DAG so I need to get the policy changed on these. Appreciate the help!

    -Scott

    Friday, May 4, 2012 8:29 PM

Answers

  • Hi,

    What I can tell you is that you can

    1# Create an AD security group that contains these 3 servers, another one that contains the rest of servers and 2 FCS policies then apply each one to the appropriate security group.

    Or

    2# Reinstall the FCS client as an unmanaged on these 3 servers then configure them manually.


    Bechir Gharbi | My blog: @myITforum.com | Twitter: @Bechir_Gharbi | Linkedin: Bechir Gharbi | Time zone: GMT + 1

    Saturday, May 5, 2012 8:45 AM

All replies

  • Hi,

    What I can tell you is that you can

    1# Create an AD security group that contains these 3 servers, another one that contains the rest of servers and 2 FCS policies then apply each one to the appropriate security group.

    Or

    2# Reinstall the FCS client as an unmanaged on these 3 servers then configure them manually.


    Bechir Gharbi | My blog: @myITforum.com | Twitter: @Bechir_Gharbi | Linkedin: Bechir Gharbi | Time zone: GMT + 1

    Saturday, May 5, 2012 8:45 AM
  • Thank you for the reply. Let me ask you this. After creating the new policy I applied it to an registry file saved in the same shared location as the rest of our policies that are saved to a .reg. Just as a test on my machine I went to the shared location, simply opened the .reg file said yes to importing the registry values. After doing that I checked the forefront client settings on my machine and they matched the policy I had made and deployed to the .reg. Is there some reason that I could not use this as a way of doing it, just for these 3 servers?

    Thanks,

    -Scott

    Monday, May 7, 2012 5:41 PM
  • I never used the reg file method but I can inform you that you must perform the following steps on all machines to which you want to deploy the policy using the .reg file:

    1. Distribute the .reg file to the computer or make the .reg file accessible in a shared folder.
    2. Use fcslocalpolicytool.exe to apply the policy to the computer: fcslocalpolicytool.exe /ipolicyname.reg

    For automated deployments, you can use the /f option to suppress the confirmation message.

    Otherwise what's wrong with the security group method?


    Bechir Gharbi | My blog: @myITforum.com | Twitter: @Bechir_Gharbi | Linkedin: Bechir Gharbi | Time zone: GMT + 1

    Monday, May 7, 2012 5:50 PM
  • Nothing wrong with that at all. I was just curious about the .reg file method since I had already deployed the policy to one. I appreciate the info!
    Monday, May 7, 2012 5:54 PM