mcj
asked on
Need to ping 2003 SBS member workstation
For reasons that aren't important, I need to be able to ping workstations that have been joined to a 2003 SBS Standard server with SP2 (Note, this is not an R2 installation.)
It seems that any workstation joined to the server becomes "unpingable" after it is a member, even though it was perfectly responsive to pings as a standalone workstation just before it was joined.
I suspect a group policy is forced onto the workstation that modifies the the workstation's firewall settings to disregard pings. I need to re-enable pinging, and (for reasons that are too long to get into) there is simply no acceptable subsititue for pinging in this situation. It has to be a ping from a command prompt to the IP of a joined workstation.
What adjustment to the group policy (or whatever) needs to be made on the server to restore a member workstaion's ability to respond to pings?
It seems that any workstation joined to the server becomes "unpingable" after it is a member, even though it was perfectly responsive to pings as a standalone workstation just before it was joined.
I suspect a group policy is forced onto the workstation that modifies the the workstation's firewall settings to disregard pings. I need to re-enable pinging, and (for reasons that are too long to get into) there is simply no acceptable subsititue for pinging in this situation. It has to be a ping from a command prompt to the IP of a joined workstation.
What adjustment to the group policy (or whatever) needs to be made on the server to restore a member workstaion's ability to respond to pings?
ASKER
This seems to be "on the right track" here, but a few details elude me. The reference you provided for Group Policy Manager seems to suggest that this modification needs to be made locally on each workstation. There are two issues with that.
First, the policy for the local machine was to allow ping before being joined to the domain. So the change in policy seems to have occured when the system was joind and a new policy was "forced down" onto the workstation. I need to make the correction on the server so that it won't keep "breaking" every workstation when it is joined, then forcing me to go manually correct it. (ie, the problem was caused "from the server" so it should be fixable "from the server" as well.)
Second, the number of workstations involved make it impractical to "touch" each one of them even if the "local fix" that seems to be described in the link does work. (Again, I end up needing a server-side fix...)
First, the policy for the local machine was to allow ping before being joined to the domain. So the change in policy seems to have occured when the system was joind and a new policy was "forced down" onto the workstation. I need to make the correction on the server so that it won't keep "breaking" every workstation when it is joined, then forcing me to go manually correct it. (ie, the problem was caused "from the server" so it should be fixable "from the server" as well.)
Second, the number of workstations involved make it impractical to "touch" each one of them even if the "local fix" that seems to be described in the link does work. (Again, I end up needing a server-side fix...)
No, the whole point of group policy is that you configure it centrally and it gets deployed locally automatically. That's why it's called Group Policy, not Local Policy.
You don't actually modify the "Local Policy" of a machine, but you DO modify the COMPUTER policy which would superscede any local policy anyhow.
If you want to be able to ping, then just enable that by modifying the Default Small Business Server Windows Firewall GPO which is the policy that controls Windows XP Firewalls. It should already be what's applied to each workstation assuming you joined them to the domain properly (the SBS - way of http://<servername>/connectcomput er).
Jeff
TechSoEasy
You don't actually modify the "Local Policy" of a machine, but you DO modify the COMPUTER policy which would superscede any local policy anyhow.
If you want to be able to ping, then just enable that by modifying the Default Small Business Server Windows Firewall GPO which is the policy that controls Windows XP Firewalls. It should already be what's applied to each workstation assuming you joined them to the domain properly (the SBS - way of http://<servername>/connectcomput
Jeff
TechSoEasy
TechSoEasy filled in the blanks well.
The Group Policy would be centralized and affect workstations in an OU, Site, or Domain to which the GP was applied. Edit it from the DC.
The Group Policy would be centralized and affect workstations in an OU, Site, or Domain to which the GP was applied. Edit it from the DC.
ASKER
OK, I think this I'm just about there on this. Where would those modifications be done on the server? I've only needed to make a handful of policy changes in the past, and I've done them from the Group Policy Object Editor mmc, but I can't seem to find any workstation firewall policy values in there.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
This will also be helpful.
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/fwgrppol.mspx
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/fwgrppol.mspx
ASKER
That's got it! Thanks guys!
Here is a good explanation of why:
http://www.corecom.com/external/livesecurity/xpfirewall.htm Look under Myths and Missed Configurations about halfway through the article.
To edit this use Group Policy Manager.
http://technet.microsoft.com/en-us/library/bb490626.aspx
Go to step two and read through it. It should be fairly easy for you to edit the policy and step the firewall back a few security notches.
Hope this helps!