tbeck1983
asked on
Can't acces Vista computer in domain
I can't access a vista computer in the domain. I have a firewall gpo setup. See code Snippet for details. With the firewall turned off on the vista machine everything works fine. What am I missing here?
Computer Configuration (Enabled)hide
Administrative Templateshide
Network/Network Connections/Windows Firewall/Domain Profilehide
Policy Setting
Windows Firewall: Allow file and printer sharing exception Enabled
Allow unsolicited incoming messages from: localsubnet
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
Policy Setting
Windows Firewall: Allow ICMP exceptions Enabled
Allow outbound destination unreachable Enabled
Allow outbound source quench Enabled
Allow redirect Enabled
Allow inbound echo request Enabled
Allow inbound router request Enabled
Allow outbound time exceeded Enabled
Allow outbound parameter problem Enabled
Allow inbound timestamp request Enabled
Allow inbound mask request Enabled
Allow outbound packet too big Enabled
Policy Setting
Windows Firewall: Allow local port exceptions Enabled
Windows Firewall: Allow local program exceptions Enabled
Windows Firewall: Allow logging Enabled
Log dropped packets Enabled
Log successful connections Disabled
Log file path and name: C:\Windows\System32\LogFiles\Firewall\firewall.log
Size limit (KB): 4096
Policy Setting
Windows Firewall: Allow remote administration exception Enabled
Allow unsolicited incoming messages from: localsubnet
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
Policy Setting
Windows Firewall: Allow Remote Desktop exception Enabled
Allow unsolicited incoming messages from: localsubnet
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
Policy Setting
Windows Firewall: Allow UPnP framework exception Enabled
Allow unsolicited incoming messages from: localsubnet
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
Policy Setting
Windows Firewall: Do not allow exceptions Disabled
Windows Firewall: Prohibit notifications Enabled
Windows Firewall: Prohibit unicast response to multicast or broadcast requests Enabled
Windows Firewall: Protect all network connections Enabled
Network/Network Connections/Windows Firewall/Standard Profilehide
Policy Setting
Windows Firewall: Allow file and printer sharing exception Disabled
Windows Firewall: Allow ICMP exceptions Disabled
Windows Firewall: Allow local port exceptions Disabled
Windows Firewall: Allow local program exceptions Disabled
Windows Firewall: Allow logging Enabled
Log dropped packets Enabled
Log successful connections Disabled
Log file path and name: C:\Windows\System32\LogFiles\Firewall\firewall.log
Size limit (KB): 4096
Policy Setting
Windows Firewall: Allow remote administration exception Disabled
Windows Firewall: Allow Remote Desktop exception Disabled
Windows Firewall: Allow UPnP framework exception Disabled
Windows Firewall: Do not allow exceptions Enabled
Windows Firewall: Prohibit notifications Disabled
Windows Firewall: Protect all network connections Enabled
Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting State
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\Enabled 1
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%programfiles%\Common Files\Symantec Shared\ccApp.exe:localsubnet:enabled %programfiles%\Common Files\Symantec Shared\ccApp.exe:localsubnet:enabled
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%programfiles%\Symantec\Symantec Endpoint Protection\Smc.exe:localsubnet:enabled %programfiles%\Symantec\Symantec Endpoint Protection\Smc.exe:localsubnet:enabled
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%programfiles%\Symantec\Symantec Endpoint Protection\SNAC.exe:localsubnet:enabled %programfiles%\Symantec\Symantec Endpoint Protection\SNAC.exe:localsubnet:enabled
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\dmadmin.exe:localsubnet:enabled:Logical Disk Manager %systemroot%\system32\dmadmin.exe:localsubnet:enabled:Logical Disk Manager
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\dmremote.exe:localsubnet:enabled:Logical Disk Manager %systemroot%\system32\dmremote.exe:localsubnet:enabled:Logical Disk Manager
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\ftp.exe %systemroot%\system32\ftp.exe
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\INETSRV\inetinfo.exe:localsubnet:enabled %systemroot%\system32\INETSRV\inetinfo.exe:localsubnet:enabled
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\mmc.exe:localsubnet:enabled %systemroot%\system32\mmc.exe:localsubnet:enabled
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\WBEM\unsecapp.exe:localsubnet:enabled %systemroot%\system32\WBEM\unsecapp.exe:localsubnet:enabled
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\Enabled 1
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\20:TCP:localsubnet:enabled:FTP 20:TCP:localsubnet:enabled:FTP
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\21:TCP:localsubnet:enabled:FTP 21:TCP:localsubnet:enabled:FTP
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\2967:TCP:localsubnet:enabled:Winsock(SAV) 2967:TCP:localsubnet:enabled:Winsock(SAV)
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\3702:TCP:localsubnet:enabled:Vista Network Discovery 3702:TCP:localsubnet:enabled:Vista Network Discovery
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\38293:TCP:localsubnet:enabled:Intel PDS Service 38293:TCP:localsubnet:enabled:Intel PDS Service
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\443:TCP:localsubnet:enabled:HTTPS 443:TCP:localsubnet:enabled:HTTPS
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\5357:TCP:localsubnet:enabled:Vista Network Discovery 5357:TCP:localsubnet:enabled:Vista Network Discovery
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\5358:TCP:localsubnet:enabled:Vista Network Discovery 5358:TCP:localsubnet:enabled:Vista Network Discovery
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\5900:TCP:localsubnet:enabled:GenControl 5900:TCP:localsubnet:enabled:GenControl
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\80:TCP:localsubnet:enabled:HTTP 80:TCP:localsubnet:enabled:HTTP
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\8530:TCP:localsubnet:enabled:WSUS 8530:TCP:localsubnet:enabled:WSUS
SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\Enabled 0
SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\Enabled 0
When you say you cannot access it do you mean cannot browse to its shares, can't RDP to it, or can't remotely manage it?
ASKER
Can't browse shares, can't RDP or remotely manage.
Policy SettingYou seem to have those items disabled...
Windows Firewall: Allow remote administration exception Disabled
Windows Firewall: Allow Remote Desktop exception Disabled
Windows Firewall: Allow UPnP framework exception Disabled
Windows Firewall: Do not allow exceptions Enabled
Windows Firewall: Prohibit notifications Disabled
Windows Firewall: Protect all network connections Enabled
ASKER
The standard profile only applies when the computer is not connected to the domain. If you'll look up top you'll see that for the domain profile has both of those enabled.
Have you use the RSoP wizard to make sure that the policy is applying in the way that you think it should be?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.