The SCECertPolicyConfigUtil utility (SCECertPolicyConfigUtil.exe) changes Group Policy settings and Agentless Exception Monitoring (AEM) settings from the command line.
To install the SCECertPolicyConfig utility
-
In the HelperObjects\i386 folder of the Essentials 2007 installation media, start SCECertPolicyConfig.msi.
-
To verify the installation, on the computer, open the folder Program Files\System Center Operations Manager 2007 and confirm the presence of the file SCECertPolicyConfigUtil.exe.
Example
The following table describes the command-line switches you can use with SCECertPolicyConfigUtil.exe to change policy settings.
| Switch | Required | Description |
|---|---|---|
|
/PolicyType <local/domain> |
Required, unless using /Uninstall |
<local/domain> controls whether client computers are configured with local or domain Group Policy settings. |
|
/Management Group <Essentials management server netbios name>_MG |
Required |
The name of the Essentials 2007 management group. This will always be <Essentials management server name>_MG. |
|
/SCEServer <Essentials management server FQDN> |
Required, unless using /Uninstall |
The FQDN of the Essentials server. This FQDN is used when configuring Windows Update settings. |
|
/AEMFileShare <file share name> |
Required if ConfigureAEM=True |
The UNC path for the share that is used for error reporting. |
|
/AEMport <port> |
Required if ConfigureAEM=True |
The port that is used for error reporting. |
|
/ConfigureRemoteControl <true/false> |
Optional |
True enables Remote Assistance in the domain or local Group Policy. The default if this switch is omitted is False. |
|
/ConfigureFirewallPolicy <true/false> |
Optional |
True enables Windows Firewall exceptions in the domain or local Group Policy. The default if this switch is omitted is False. |
|
/ConfigureAEM <true/false> |
Optional |
If True, Error Reporting settings are configured in the domain or local Group Policy. The default if this switch is omitted is False. |
|
/Uninstall |
Optional |
Removes the domain policy objects from Active Directory or removes the configuration from the local policy objects on managed computers – either operation result in computers not configured appropriately to be managed by Essentials 2007. |
The Windows Firewall exceptions for client computers are configured in the computer’s policy settings under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile. When the SCECertPolicyConfigUtil.exe program or the Feature Configuration Wizard is used to configure the policy, they enable the following settings:
| Name | Configuration | Description |
|---|---|---|
|
Windows Firewall: Allow file and printer sharing exception |
Allow unsolicited incoming messages from: <Essentials management server IP address> |
Opens UDP ports 137 and 138, and TCP ports 139 and 445. This allows for client push installation from the Essentials 2007 management server. |
|
Windows Firewall: Allow remote administration exception |
Allow unsolicited incoming messages from: <Essentials management server IP address> |
Opens TCP ports 135 and 445. This allows for Remote Assistance requests from the Essentials 2007 management server. |
 Copy Code |
|
|---|---|
SCECertPolicyConfigUtil.exe /PolicyType <local domain> /ManagementGroup <management group name> /SCEServer <server FQDN> /AEMFileShare <file share name> /AEMPort <port> /ConfigureRemoteControl <true/false> /ConfigureAEM <true/false> /ConfigureFirewallPolicy <true/false> /Uninstall |
|
The following command will remove local or domain Group Policy settings. For example, you can this command to switch from using one to the other. After running the command, in the Essentials 2007 console, run the Feature Configuration Wizard again.
| Copy Code |
|
|---|---|
SCECertPolicyConfigUtil.exe /Uninstall /ManagementGroup <Essentials management server netbios name>_MG |
|