Solved

XP SP2 Security Center - How to define security settings locally when connected to a domain

Posted on 2004-08-26
10
666 Views
Last Modified: 2008-02-01
I have just installed XP SP2 on the computers within our small domain.  When all of the computers are logged in the users logon via the "this computer" versus the domain when presented with the Windows Logon screen.  After installing XP on each of the computers via the Windows Update option, all except one allow me to go to the new control panel "Security Center" and view and set my security options including my firewall settings.  On the one computer I receive the message:  

"Security Essentials

The security settings on this computer are managed by a network administrator because it is part of a domain (a group of computers on a network).  To help protect your computer, the administrator of this computer should do the following..."

I would like this computer to behave the way the others do.  I have checked all of the settings I can think of but with no luck.  This computer is logged on with a local ID that has administrator rights.  On the Windows 2003 Server the computer is defined in the Active Directory and appears to have all of the same settings as the other computers.

I suspect there is some minor setting on the problem child computer or registry entry that needs to be changed.  Any ideas where I might look.

Thanks,

Mike
0
Comment
Question by:Mike93110
  • 4
  • 4
  • 2
10 Comments
 
LVL 1

Expert Comment

by:JDAdams
ID: 11908925
XP SP2 machines have the firewall settings disabled by default if connected to a 2003 server. This must be corrected on the 2003 machine, using the fix at http://www.microsoft.com/downloads/details.aspx?FamilyId=D70097C2-4317-40E0-B7DA-FEB52C6B6386&displaylang=en. Not usre why ony one is doing it though...
0
 
LVL 51

Expert Comment

by:Netman66
ID: 11909829
XP2 installs completely different on machines that are part of a Domain versus simply in a Workgroup.  I suspect the one PC displaying that info box is joined to the domain - the others may not be (or may not be properly joined).

Why are these users logging in to a local account when you have the Domain right there??

0
 
LVL 51

Expert Comment

by:Netman66
ID: 11909832
Sorry..typo... should have been SP2.
0
 

Author Comment

by:Mike93110
ID: 11913533
JDAdams - thanks for the KB article.  I may need to use that if I don't figure out how to adjust things to give the local users control.  Of course in that case I would also need to know how you change the settings at the 2003 machine to change the firewall settings for each individual machine.  Is their a convenient and easy to understand article on how to do that?

Netman66 or anyone - We only have 10 computers in this domain and looking at the System Control panel Computer Name tag they all appear to be part of the same domain.  On the server the computer names all show up in the Active Directory.  Is there any magic to how they may have been added that would cause all but the one to not be properly joined?  For the one computer that does seem to be part of the domain, when I take it out, I can manage the Security Center settings fine and when I re-add it to the domain the settings again go back to being controlled by the server.

Also, I assume that regardless of whether they log on to the local computer or to the domain, as long as they are part of the domain, the 2003 server would in most cases control the settings.  Is that correct?  I have a few of the other computers that would like to have the firewalls enabled but each is also running multiple web servers on different IP addresses on the same computer.  Hence I need to ensure that I can easily open up there http and https ports individually.  That concern is the primay issue I have.  Also little things like one computer has iTunes and iTunes needed special access to work properly.  Controlling the Secuity Center on the local computer made it very easy to make that one change.

Regarding why not have the users log onto the Domain instead of their local computer, though I'm a programmer by profession, my expertise is not managing the 2003 server.  It seems as though issues like this take too long to figure out how to manage from the 2003 versus just managing on the local machines.  Perhaps I just need to start going after things.  The other concern would be that making the change would result in the users loosing all of their personal settings and I'm not sure how to easily transfer them from the local account to he domain login easily.
0
 

Author Comment

by:Mike93110
ID: 11913948
There might be an easier answer, if it is a possiblity.  Rather than try to figure out what the difference between my computers might be - though I would like to do that at some point.  Is there a setting on the 2003 Small Business Server that can be changed so that it does not manage the Settings associated with the Security Center but instead allows all of the computers attached to the domain manage their own settings locally?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Accepted Solution

by:
JDAdams earned 500 total points
ID: 11917529
Sorry - should have linked to the associated article  - http://support.microsoft.com/default.aspx?kbid=872769&product=windowsxpsp2. Halfway down that page are the steps to resolve the issue. Basically:

1) Install the aforementioned fix on the Server 2003 machine
2) Reboot or run the command "gpupdate /force" on the SP2 machine
3) Install the package from http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF&displaylang=en on the Server 2003 machine
4) Install the Server 2003 Remote Admin Tools from http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en on the SP2 machine

All that will still only let you change the Group Policy settings for the domain from the SP2 machine (guess you could just do this from the server - if so you can omit step 4 above), but you *should* then be able to remove settings relating to the XP firewall settings to allow these to be configured locally.
0
 

Author Comment

by:Mike93110
ID: 11935427
I've gone ahead and done steps 1 through 3.  On the XP computer, within the Security Center control panel it still says that it is controled by a group policy on the Domain Server but there is a Firewall control panel on the XP SP2 manchine that I can adjust.  Does this mean that the settings are being controlled by the local SP SP2 machine - that is my preference?  

Looking at the Domain server under:

    Advanced Management
         Group Policy Management
              Forest
                  Domain
                     Small Business Server Windows Firewall

The option Windows Cmponents / Security Center is enabled.  Does that mean that the user is able to change their own settings for the Security Center?  Also right clicking on this option and selecting Edit from the pop up menu brings up a screen which I assume would allow me to disable this option.  Where within the options on the screen that is displayed would I go to disable this feature if I wanted to?   Does Microsoft have an article that explains how to manage the Security Center settings via a Group Policy?  Again as long as enablng the option mentioned at the start of this paragraph results in the individual XP SP2 workstations being able to manage their own firewall settings I'm satisfied but I'd like to better understand how to control these options from the Domain Server perspective.
0
 
LVL 1

Expert Comment

by:JDAdams
ID: 11936626
If that option is enabled the Security Center services (Windows Firewall, Auto Updates, Virus Scanner Check) should be active on the remote machines, but I'm not sure if this will just result in everything being forced "on" as opposed to forced "off" as it was before - you might have to set it to "not configured" (if you have the option) to allow the settings to be configured on the remote machines. There's a little info on http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngsecps.mspx but nothing that specific I'm afraid. IIRC, there should be some other options in the firewall section -  "Allow Exceptions" etc. , which you may want to look at if it turns out that it won't let you configure it on the remote machines - at least that way you can set up the exceptions etc. you need.
0
 

Author Comment

by:Mike93110
ID: 11936767
Thanks for your suggestions and insights.  They've been hugely helpful.
0
 
LVL 1

Expert Comment

by:JDAdams
ID: 11939248
Thanks - glad to be of help
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now