Solved

Can't acces Vista computer in domain

Posted on 2008-10-09
6
670 Views
Last Modified: 2010-08-05
I can't access a vista computer in the domain.  I have a firewall gpo setup.  See code Snippet for details.  With the firewall turned off on the vista machine everything works fine.  What am I missing here?
Computer Configuration (Enabled)hide

Administrative Templateshide

Network/Network Connections/Windows Firewall/Domain Profilehide

Policy Setting 

Windows Firewall: Allow file and printer sharing exception Enabled 

Allow unsolicited incoming messages from: localsubnet 

Syntax: 

Type "*" to allow messages from any network, or 

else type a comma-separated list that contains 

any number or combination of these: 

IP addresses, such as 10.0.0.1 

Subnet descriptions, such as 10.2.3.0/24 

The string "localsubnet" 

Example: to allow messages from 10.0.0.1, 

10.0.0.2, and from any system on the 

local subnet or on the 10.3.4.x subnet, 

type the following: 

10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24 

 

Policy Setting 

Windows Firewall: Allow ICMP exceptions Enabled 

Allow outbound destination unreachable Enabled 

Allow outbound source quench Enabled 

Allow redirect Enabled 

Allow inbound echo request Enabled 

Allow inbound router request Enabled 

Allow outbound time exceeded Enabled 

Allow outbound parameter problem Enabled 

Allow inbound timestamp request Enabled 

Allow inbound mask request Enabled 

Allow outbound packet too big Enabled 

 

Policy Setting 

Windows Firewall: Allow local port exceptions Enabled 

Windows Firewall: Allow local program exceptions Enabled 

Windows Firewall: Allow logging Enabled 

Log dropped packets Enabled 

Log successful connections Disabled 

Log file path and name: C:\Windows\System32\LogFiles\Firewall\firewall.log 

Size limit (KB): 4096 

 

Policy Setting 

Windows Firewall: Allow remote administration exception Enabled 

Allow unsolicited incoming messages from: localsubnet 

Syntax: 

Type "*" to allow messages from any network, or 

else type a comma-separated list that contains 

any number or combination of these: 

IP addresses, such as 10.0.0.1 

Subnet descriptions, such as 10.2.3.0/24 

The string "localsubnet" 

Example: to allow messages from 10.0.0.1, 

10.0.0.2, and from any system on the 

local subnet or on the 10.3.4.x subnet, 

type the following: 

10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24 

 

Policy Setting 

Windows Firewall: Allow Remote Desktop exception Enabled 

Allow unsolicited incoming messages from: localsubnet 

Syntax: 

Type "*" to allow messages from any network, or 

else type a comma-separated list that contains 

any number or combination of these: 

IP addresses, such as 10.0.0.1 

Subnet descriptions, such as 10.2.3.0/24 

The string "localsubnet" 

Example: to allow messages from 10.0.0.1, 

10.0.0.2, and from any system on the 

local subnet or on the 10.3.4.x subnet, 

type the following: 

10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24 

 

Policy Setting 

Windows Firewall: Allow UPnP framework exception Enabled 

Allow unsolicited incoming messages from: localsubnet 

Syntax: 

Type "*" to allow messages from any network, or 

else type a comma-separated list that contains 

any number or combination of these: 

IP addresses, such as 10.0.0.1 

Subnet descriptions, such as 10.2.3.0/24 

The string "localsubnet" 

Example: to allow messages from 10.0.0.1, 

10.0.0.2, and from any system on the 

local subnet or on the 10.3.4.x subnet, 

type the following: 

10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24 

 

Policy Setting 

Windows Firewall: Do not allow exceptions Disabled 

Windows Firewall: Prohibit notifications Enabled 

Windows Firewall: Prohibit unicast response to multicast or broadcast requests Enabled 

Windows Firewall: Protect all network connections Enabled 
 

Network/Network Connections/Windows Firewall/Standard Profilehide

Policy Setting 

Windows Firewall: Allow file and printer sharing exception Disabled 

Windows Firewall: Allow ICMP exceptions Disabled 

Windows Firewall: Allow local port exceptions Disabled 

Windows Firewall: Allow local program exceptions Disabled 

Windows Firewall: Allow logging Enabled 

Log dropped packets Enabled 

Log successful connections Disabled 

Log file path and name: C:\Windows\System32\LogFiles\Firewall\firewall.log 

Size limit (KB): 4096 

 

Policy Setting 

Windows Firewall: Allow remote administration exception Disabled 

Windows Firewall: Allow Remote Desktop exception Disabled 

Windows Firewall: Allow UPnP framework exception Disabled 

Windows Firewall: Do not allow exceptions Enabled 

Windows Firewall: Prohibit notifications Disabled 

Windows Firewall: Protect all network connections Enabled 
 

Extra Registry Settingshide

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
 

Setting State 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\Enabled 1 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%programfiles%\Common Files\Symantec Shared\ccApp.exe:localsubnet:enabled %programfiles%\Common Files\Symantec Shared\ccApp.exe:localsubnet:enabled 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%programfiles%\Symantec\Symantec Endpoint Protection\Smc.exe:localsubnet:enabled %programfiles%\Symantec\Symantec Endpoint Protection\Smc.exe:localsubnet:enabled 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%programfiles%\Symantec\Symantec Endpoint Protection\SNAC.exe:localsubnet:enabled %programfiles%\Symantec\Symantec Endpoint Protection\SNAC.exe:localsubnet:enabled 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\dmadmin.exe:localsubnet:enabled:Logical Disk Manager %systemroot%\system32\dmadmin.exe:localsubnet:enabled:Logical Disk Manager 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\dmremote.exe:localsubnet:enabled:Logical Disk Manager %systemroot%\system32\dmremote.exe:localsubnet:enabled:Logical Disk Manager 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\ftp.exe %systemroot%\system32\ftp.exe 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\INETSRV\inetinfo.exe:localsubnet:enabled %systemroot%\system32\INETSRV\inetinfo.exe:localsubnet:enabled 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\mmc.exe:localsubnet:enabled %systemroot%\system32\mmc.exe:localsubnet:enabled 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%systemroot%\system32\WBEM\unsecapp.exe:localsubnet:enabled %systemroot%\system32\WBEM\unsecapp.exe:localsubnet:enabled 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\Enabled 1 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\20:TCP:localsubnet:enabled:FTP 20:TCP:localsubnet:enabled:FTP 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\21:TCP:localsubnet:enabled:FTP 21:TCP:localsubnet:enabled:FTP 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\2967:TCP:localsubnet:enabled:Winsock(SAV) 2967:TCP:localsubnet:enabled:Winsock(SAV) 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\3702:TCP:localsubnet:enabled:Vista Network Discovery 3702:TCP:localsubnet:enabled:Vista Network Discovery 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\38293:TCP:localsubnet:enabled:Intel PDS Service 38293:TCP:localsubnet:enabled:Intel PDS Service 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\443:TCP:localsubnet:enabled:HTTPS 443:TCP:localsubnet:enabled:HTTPS 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\5357:TCP:localsubnet:enabled:Vista Network Discovery 5357:TCP:localsubnet:enabled:Vista Network Discovery 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\5358:TCP:localsubnet:enabled:Vista Network Discovery 5358:TCP:localsubnet:enabled:Vista Network Discovery 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\5900:TCP:localsubnet:enabled:GenControl 5900:TCP:localsubnet:enabled:GenControl 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\80:TCP:localsubnet:enabled:HTTP 80:TCP:localsubnet:enabled:HTTP 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\8530:TCP:localsubnet:enabled:WSUS 8530:TCP:localsubnet:enabled:WSUS 

SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\Enabled 0 

SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\Enabled 0

Open in new window

0
Comment
Question by:tbeck1983
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22683059
When you say you cannot access it do you mean cannot browse to its shares, can't RDP to it, or can't remotely manage it?
0
 

Author Comment

by:tbeck1983
ID: 22683162
Can't browse shares, can't RDP or remotely manage.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22683201
Policy Setting
Windows Firewall: Allow remote administration exception Disabled
Windows Firewall: Allow Remote Desktop exception Disabled
Windows Firewall: Allow UPnP framework exception Disabled
Windows Firewall: Do not allow exceptions Enabled
Windows Firewall: Prohibit notifications Disabled
Windows Firewall: Protect all network connections Enabled  
You seem to have those items disabled...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:tbeck1983
ID: 22683638
The standard profile only applies when the computer is not connected to the domain.  If you'll look up top you'll see that for the domain profile has both of those enabled.  
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22683648
Have you use the RSoP wizard to make sure that the policy is applying in the way that you think it should be?
0
 

Accepted Solution

by:
tbeck1983 earned 0 total points
ID: 22799205
I figured it out.  You have to setup firewall policies under Widnwos Settings | Security Settings | Widnows Firewall with Advanced Security in Group Policies.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Hi All Just a quick one for everybody. I was recently looking into setting the default User Account Picture for all my vista clients within the network but on closer inspection the group policy setting only allows you to set the default pictur…
So who is this article for? If you are like most of the computer users out there, you probably only realize the meaning of 'System maintenance' after something goes wrong. This article is for you if you care about keeping your system working opti…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now