• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

How can I allow a domain admin account disable windows firewall?

Hi, I have a GP set to enable Windows Firewall for all staff comptuers.  Unfortunately, whenever we (IT Dept.) need to disable the firewall to perform AntiVirus installs and such we have to move the computers out of that OU (which has that GP attached) to disable the firewall temporarily.  I was wondering if there is a way to allow a domain admin account to disable the windows firewall without moving the computer out of the OU?  I would think there would be a way.  What I mean, is when a domain admin account is used to log into a staff computer, it would disable the windows firewall regardless of the GP or at least not be grayed out so, we could disable it temorarily ourselves.

Thanks for any assistance provided.

4 Solutions
Adam LeinssCommented:
Try this: http://www.sadikhov.com/forum/lofiversion/index.php?t148327.html
Basically, put:
Windows Registry Editor Version 5.00

Into a a file, say disable_firewall.reg and then have the tech run it.  It should temp. disable the firewall.
I dont think u can exclude a 'user' from a domain wide computer policy
No but you could allow local port exceptions and an admin then disable the firewall temporarily if need be..
The alternative could be to create a .bat file that runs psexec to remote machine with following action

'netsh firewall set opmode disable'

psexec.exe - part of Sysinternals suite (free download from Microsoft) - this command allows you to run commands on remote machines.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now