Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy

Posted on 2008-10-21
12
Medium Priority
?
545 Views
Last Modified: 2011-10-19
Hello There,

I am needing to setup Group Policy to enable my laptop users to have windows firewall  enabled when they are NOT on the domain (only). I understand that I could probably do this from local computer policy but as I understand this takes precedence over the policy set in AD and we need Windows Firewall disabled when users are on the domain. Can this be done?

Thanks

0
Comment
Question by:JAKJO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 13

Expert Comment

by:Brum07
ID: 22765254
I would put the users in a group and create a policy that had a VBScript logon to turn the firewall off;

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

Then a log off VBScript to enable the firewall;

Set firewall = CreateObject("HNetCfg.FwMgr")
Set firewallPolicy = firewall.LocalPolicy.CurrentProfile
firewallPolicy.FirewallEnabled = TRUE

Regards
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22765294
Hi,

You are correct GPOs are processed  in order.. Global, Domain, Local which means that the local policy is always the last to apply.

you could however do this using logon and logoff scripts on your domain

Disable the firewall:

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

objPolicy.FirewallEnabled = FALSE

Enable the Firewall:

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

objPolicy.FirewallEnabled = TRUE

Save them as VBS and set the disable as startup and enable as shutdown...

/Fox
0
 
LVL 1

Author Comment

by:JAKJO
ID: 22765482
Probably a really stupid question Fox but how do I save as vbs??
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 13

Expert Comment

by:Brum07
ID: 22765530
Open text file, enter the code and save as starytp.vbs making sure file type is all files.

Regards
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22765918
you made need to unhide file extentions in explorer...

right click start > Explore > 

Tools > Folder Options > View  - remove the tick in "Hide extentions for known file types"

Then as Brum says, open notepad and save the files as .vbs

/Fox
0
 
LVL 1

Author Comment

by:JAKJO
ID: 22765919
Thanks, but the scripts do not appear to working when I log onto the domain the firewall is enabled. Also when I do, which is good. I need to disable it when users to logon to the domain and enable when they don't.

Thanks in advance
0
 
LVL 7

Accepted Solution

by:
knightfox earned 1000 total points
ID: 22765988
ok...

I think I know where you went wrong.. create a script called "enable firewall.vbs"

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

objPolicy.FirewallEnabled = TRUE

Create another script called "disable Firewall.vbs"

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

objPolicy.FirewallEnabled = FALSE

Place both scripts in %windows%\SYSVOL\DOMAIN\Scripts folder....

Open the group policy that you are using to apply logon scripts to nework users...

Under the computer configuration > windows settings > Scripts (Startup/Shutdown)

Select startup > Add and browse the following  \\domainname.xxx\sysvol\scripts\disable firewall.vbs

click ok

Select shutdown Add and browse the following  \\domainname.xxx\sysvol\scripts\enable firewall.vbs

now ensure that the GPO is applied to Authenticated users.

now reboot the station and you should see the startup scripts process... logon and the firewall should be disabled, this is provided that you havent changed it on a group policy lower down.

when you shutdown the station the firewall will disable.

I have just tested this in my lab and it works :0)

/Fox

0
 
LVL 1

Author Comment

by:JAKJO
ID: 22766527
Hi Fox,

It still doesn't seem to work and the firewall is enabled. Incase I have missed something. Here is what I have done (btw, do any script perameters need to be set?)
Created a test OU and put the test laptop in to the OU. Created a new policy and called it laptop firewall test.
Copied the pasted the scripts you gave me and attached them respecitvely to the startup and shut down. Rebooted Laptop and windows firewall is enabled both on logging on the domain and also locally.

Thanks
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22766798
are you setting this with a GPO anywhere else??? can you run them manually on the station??

\\domain\sysvol\scripts\disable firewall.vbs

is the firewall disabled?
0
 
LVL 1

Author Comment

by:JAKJO
ID: 22767018
Hi

This is the error I get when I try to run them manually.
Script.jpg
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22767119
I think i see...

are you running client firewall software??? please disable this and try again.

/Fox
0
 
LVL 1

Author Comment

by:JAKJO
ID: 22767823
There is no client firewall software, apart from Windows firewall.
Do you mean my anti virus client?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question