• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 682
  • Last Modified:

XP SP2 Security Center - How to define security settings locally when connected to a domain

I have just installed XP SP2 on the computers within our small domain.  When all of the computers are logged in the users logon via the "this computer" versus the domain when presented with the Windows Logon screen.  After installing XP on each of the computers via the Windows Update option, all except one allow me to go to the new control panel "Security Center" and view and set my security options including my firewall settings.  On the one computer I receive the message:  

"Security Essentials

The security settings on this computer are managed by a network administrator because it is part of a domain (a group of computers on a network).  To help protect your computer, the administrator of this computer should do the following..."

I would like this computer to behave the way the others do.  I have checked all of the settings I can think of but with no luck.  This computer is logged on with a local ID that has administrator rights.  On the Windows 2003 Server the computer is defined in the Active Directory and appears to have all of the same settings as the other computers.

I suspect there is some minor setting on the problem child computer or registry entry that needs to be changed.  Any ideas where I might look.

Thanks,

Mike
0
Mike93110
Asked:
Mike93110
  • 4
  • 4
  • 2
1 Solution
 
JDAdamsCommented:
XP SP2 machines have the firewall settings disabled by default if connected to a 2003 server. This must be corrected on the 2003 machine, using the fix at http://www.microsoft.com/downloads/details.aspx?FamilyId=D70097C2-4317-40E0-B7DA-FEB52C6B6386&displaylang=en. Not usre why ony one is doing it though...
0
 
Netman66Commented:
XP2 installs completely different on machines that are part of a Domain versus simply in a Workgroup.  I suspect the one PC displaying that info box is joined to the domain - the others may not be (or may not be properly joined).

Why are these users logging in to a local account when you have the Domain right there??

0
 
Netman66Commented:
Sorry..typo... should have been SP2.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Mike93110Author Commented:
JDAdams - thanks for the KB article.  I may need to use that if I don't figure out how to adjust things to give the local users control.  Of course in that case I would also need to know how you change the settings at the 2003 machine to change the firewall settings for each individual machine.  Is their a convenient and easy to understand article on how to do that?

Netman66 or anyone - We only have 10 computers in this domain and looking at the System Control panel Computer Name tag they all appear to be part of the same domain.  On the server the computer names all show up in the Active Directory.  Is there any magic to how they may have been added that would cause all but the one to not be properly joined?  For the one computer that does seem to be part of the domain, when I take it out, I can manage the Security Center settings fine and when I re-add it to the domain the settings again go back to being controlled by the server.

Also, I assume that regardless of whether they log on to the local computer or to the domain, as long as they are part of the domain, the 2003 server would in most cases control the settings.  Is that correct?  I have a few of the other computers that would like to have the firewalls enabled but each is also running multiple web servers on different IP addresses on the same computer.  Hence I need to ensure that I can easily open up there http and https ports individually.  That concern is the primay issue I have.  Also little things like one computer has iTunes and iTunes needed special access to work properly.  Controlling the Secuity Center on the local computer made it very easy to make that one change.

Regarding why not have the users log onto the Domain instead of their local computer, though I'm a programmer by profession, my expertise is not managing the 2003 server.  It seems as though issues like this take too long to figure out how to manage from the 2003 versus just managing on the local machines.  Perhaps I just need to start going after things.  The other concern would be that making the change would result in the users loosing all of their personal settings and I'm not sure how to easily transfer them from the local account to he domain login easily.
0
 
Mike93110Author Commented:
There might be an easier answer, if it is a possiblity.  Rather than try to figure out what the difference between my computers might be - though I would like to do that at some point.  Is there a setting on the 2003 Small Business Server that can be changed so that it does not manage the Settings associated with the Security Center but instead allows all of the computers attached to the domain manage their own settings locally?
0
 
JDAdamsCommented:
Sorry - should have linked to the associated article  - http://support.microsoft.com/default.aspx?kbid=872769&product=windowsxpsp2. Halfway down that page are the steps to resolve the issue. Basically:

1) Install the aforementioned fix on the Server 2003 machine
2) Reboot or run the command "gpupdate /force" on the SP2 machine
3) Install the package from http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF&displaylang=en on the Server 2003 machine
4) Install the Server 2003 Remote Admin Tools from http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en on the SP2 machine

All that will still only let you change the Group Policy settings for the domain from the SP2 machine (guess you could just do this from the server - if so you can omit step 4 above), but you *should* then be able to remove settings relating to the XP firewall settings to allow these to be configured locally.
0
 
Mike93110Author Commented:
I've gone ahead and done steps 1 through 3.  On the XP computer, within the Security Center control panel it still says that it is controled by a group policy on the Domain Server but there is a Firewall control panel on the XP SP2 manchine that I can adjust.  Does this mean that the settings are being controlled by the local SP SP2 machine - that is my preference?  

Looking at the Domain server under:

    Advanced Management
         Group Policy Management
              Forest
                  Domain
                     Small Business Server Windows Firewall

The option Windows Cmponents / Security Center is enabled.  Does that mean that the user is able to change their own settings for the Security Center?  Also right clicking on this option and selecting Edit from the pop up menu brings up a screen which I assume would allow me to disable this option.  Where within the options on the screen that is displayed would I go to disable this feature if I wanted to?   Does Microsoft have an article that explains how to manage the Security Center settings via a Group Policy?  Again as long as enablng the option mentioned at the start of this paragraph results in the individual XP SP2 workstations being able to manage their own firewall settings I'm satisfied but I'd like to better understand how to control these options from the Domain Server perspective.
0
 
JDAdamsCommented:
If that option is enabled the Security Center services (Windows Firewall, Auto Updates, Virus Scanner Check) should be active on the remote machines, but I'm not sure if this will just result in everything being forced "on" as opposed to forced "off" as it was before - you might have to set it to "not configured" (if you have the option) to allow the settings to be configured on the remote machines. There's a little info on http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngsecps.mspx but nothing that specific I'm afraid. IIRC, there should be some other options in the firewall section -  "Allow Exceptions" etc. , which you may want to look at if it turns out that it won't let you configure it on the remote machines - at least that way you can set up the exceptions etc. you need.
0
 
Mike93110Author Commented:
Thanks for your suggestions and insights.  They've been hugely helpful.
0
 
JDAdamsCommented:
Thanks - glad to be of help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now