How can I allow a domain admin account disable windows firewall?

Hi, I have a GP set to enable Windows Firewall for all staff comptuers.  Unfortunately, whenever we (IT Dept.) need to disable the firewall to perform AntiVirus installs and such we have to move the computers out of that OU (which has that GP attached) to disable the firewall temporarily.  I was wondering if there is a way to allow a domain admin account to disable the windows firewall without moving the computer out of the OU?  I would think there would be a way.  What I mean, is when a domain admin account is used to log into a staff computer, it would disable the windows firewall regardless of the GP or at least not be grayed out so, we could disable it temorarily ourselves.

Thanks for any assistance provided.

rsnellmanIT ManagerAsked:
Who is Participating?
Adam LeinssServer SpecialistCommented:
Try this:
Basically, put:
Windows Registry Editor Version 5.00

Into a a file, say disable_firewall.reg and then have the tech run it.  It should temp. disable the firewall.
I dont think u can exclude a 'user' from a domain wide computer policy
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
No but you could allow local port exceptions and an admin then disable the firewall temporarily if need be..
The alternative could be to create a .bat file that runs psexec to remote machine with following action

'netsh firewall set opmode disable'

psexec.exe - part of Sysinternals suite (free download from Microsoft) - this command allows you to run commands on remote machines.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.