Secure Configuration Manager allows you to manage Windows computers without installing an agent on each computer. A single Windows agent can manage several computers by proxy, as long as the computers are members of the domain in which the agent service is installed. This proxy capability greatly simplifies deployment. Most organizations with large Windows environments use management by proxy to reduce the number of Windows agents to a manageable number.
NOTE:If a Windows endpoint is managed by a proxy agent, the agent returns data with qualifiers (for example, HOUWIN2KSRV\Administrator). If a Windows endpoint is not managed by proxy, the agent returns data without qualifiers (for example, Administrator).
If you plan to manage Windows computers by proxy, you should be aware of certain limitations. The Windows agent cannot perform the following functions by proxy:
Windows actions and reports
List Instant Messenger Applications report
Users with Weak Passwords report
Users with Password = User Name report
Users without a Password report
Users with Password Too Short report
Set Disk Quota for User action
Show User Quota for a Specified Volume report
Windows security checks
Accounts with Password Equal to Any User Name
Accounts with Password Equal to User Name
Accounts with Password Equal to Reverse User Name
Accounts with Short Passwords
Accounts with Blank Passwords
Instant Messenger Setting
Queries of the Port object
Any default port scan reports, such as the Port Scan (TCP/UDP Endpoints) report
Queries of the HKLM/Current User registry hive or any reports that rely on that hive
To manage a computer by proxy, the service account by which the Windows agent operates must be a member of the Domain Admins group in the domain of the managed computer, and it must be a member of the Local Admins group on the managed computer.
Consider the following additional requirements when using the Windows agent to manage a computer by proxy:
The agent computer must be running the following services:
Workstation
DHCP Client
The Remote Registry Service must be running on all computers being managed by proxy.
The Microsoft Remote Procedure Call service must be running on both the agent computer and all computers being managed by proxy.
(Conditional) For Secure Configuration Manager to receive and display IPv6 addresses from managed endpoints, the Windows agent must be set up as a dual-stack host to support both IPv4 and IPv6 addresses because the agent uses IPv4 addresses when communicating with Core Services. For more information about agent operating systems, see Windows Agent Computer Requirements.
(Conditional) To monitor endpoint computers running IIS version 7.0 or 7.5, you must install the IIS Management Scripts and Tools component on the endpoint. You must also enable NetIQ VBscripts scripts to run on the computer containing the Windows agent monitoring the endpoint. For more information about enabling scripts to run, see Enabling NetIQ VBscripts.
(Conditional) To collect Group Policy Object data from endpoint computers running the Windows Server 2008 Core or 2008 Core R2 operating system, you must mange those endpoints by proxy. The Core operating systems do not support Group Policy Management Console (GPMC) installation, which the agent requires.