How can I change all domain computers firewall setting OFF

Look here
 
http://technet.microsoft.com/en-us/library/bb490626.aspx 

I also need to enable remote registry, CA will not install unless remote registry is enabled as well.
I am looking at the link now.

There is no GPO setup, I want to set up GPO but do not want to crash anything.

Any ideas?

Not to sound totally stupid, but this can all be done on the DC right?
I have locekd downa  client computer, disabled registry and enabled firewall I will test there first.

I am downloading the GPMC on the DC and going to create a GPO template on the dc.

You can do it from either with the gpmc as long as you are using admin rights

You can do it on a DC, or the GPMC can be downloaded on your PC. You will just need to connect it to a DC is all.

~coolsport00

I am not seeing the firewall setting, here is what I see right now.
gpo.bmp

You're in the wrong container...it's under Comp Config -> Adm Templ -> Netwk -> Ntwk Conn.

This is because you are looking under user config. You need to look under computer config

Sorry, I was in wrong drop down, sorry about that.

I saw that right after I submitted.
Here is what I now have
I have created a OU under my main group called GPO test group.

Can I simply drag and drop a few computers to this group?
This is based on Computer names and not users, right?

gpo-firewall.bmp

Yes to both your questions; or right-click your computer(s) and select "Move", then browse to your test OU.

~coolsport00

Okay I moved the computer to the test ou group, does it need to replicate through DC first or is it live right away? I did not see an option to save it in the group policy object editor.

So can I now close this out and go login on my test computer and see if it worked? I purposely turned on the firewall and disabled the remote registry as a admin on that computer, so now I should try to login in and see if these setting changed, correct? User permissions should nto matter as I am just trying to see if the permission changed on that computer correct?

Yes, you will need to either wait 30-60mins or...theoretically, if you go to Start -> Run and type in gpupdate /force  it will apply your GPO settings. You may be prompted to either log out or reboot.

Yes, User doesn't apply since it's computer-based.

~coolsport00

How can I make sure that this policy is only applied to the test ou and nto the entire domain?

I forced the update, I hope I did not break anything.
I did not verify on how I would go about testing the new GPO only on my test ou.

Any ideas on that?

it should only apply to the computers contained in this ou

All you need to do is go into the Control Panel -> Firewall and see if 1. the settings are grayed out and 2. it has the settings you configured in your GPO.

In GPMC, right-click on your test OU and select "Link an Existing GPO" and it will be "linked" to only that OU (and sub-OUs, if there are any). The GPO doesn't 'apply' to anywhere in your domain until you "link" it somewhere.

I have my GPO linked to the test ou but Firewall is still enabled and the Remote Registry I disabled still shows as disabled.

Did I do something incorrect? I followed guidance.

No...give it 30 mins or so and check it again.

since its a computer config you may need to reboot

I checked GPOE and I noticed my changes did not stick?
I do not see how to save this there, under my test ou GPO shows these changes are active?

I am not following how I create a GPO under GPOE then it is applied to a specific OU, I did not save it or anything. When I reopen GPOE I see that all the cahnges I made are all at the default settings. When I look at Group Policy Mgmt I see my TEST OU and my GPO changes I made under a default name.

Is this normal?

Run gpupdate /force /boot on test machine and check again

Also try running gpresult in a command prompt on test machine

Also...give a screenshot of what you're referring to in your GPMC; again, the change may not "take" for a little while. The policy needs to replicate to the DC you're test PC is authenticating to. If that policy isn't replicated to that DC, the settings won't apply.

AWESOME! ! ! It worked.

However, I ran gpupdate /force /boot  and gpresult, no dice, so I rebooted.
I logged in things are greyed out in Firewall and registry is active.

Anyway to run these commands on the entire network to implement?
I am going to move a live computer to the test ou to test again, after I test this second computer can I then move both computers from test ou to primary ou then link my GPO to the main OU?

The second user I added automatically had GPO run on it, so I believe that simply waiting 30 -60 minutes will automatically do it. Since this has worked on two computers, one with XP and one with Vista, is it now safe for me to move the two test computers to the main OU then simply apply my GPO to this OU?

I have 3 servers and a network monitoring system, how would I prevent these form being added?
One server is a DC, one is mail and the other is a DB.

Here is a screen shot of my GPO/ GPMC comparisoon.
I notice the Container for Computers is a default standalone, would it be practical to createa  OU called LAN Computers or the like and then move all computers from the default "computers" to the new OUt called Lan Computers, then link the GPO to the new LAN Computers?
I am wanting to apply changes ASAP so I can roll out new endpoint AV and packages.
gpo-comp.bmp

No...you won't have to run those commands on each PC for it to work. We just suggested that to quicken the implementation. Be careful when moving PCs from OU to OU to make sure other Policies aren't "missed", if that makes sense. In other words, I would link any "production GPOs" to your test, to make sure any 'live' PCs you place in your test OU are getting their regular policies, as well.

Group Policies are pretty basic; they can get a bit complicated, when talking about terminal services, loop-back, etc., but that is typically for a more complex environment. So, all that being said, a simple Firewall policy and waiting for replication to occur or rebooting PCs should cause the policy(s) to be applied.

To prevent your servers from getting the policy applied, you could do a couple things, create a GPO for your Servers container (if one isn't already created), and configure the Firewall as you want. OR, you can right-click on the Servers container and select 'Block Inheritance'. What this does is pretty much how it sounds...it blocks any GPOs from higher in your domain tree structure from being applied to lower level OUs/Containers.

And yes, to your last question...I would move all your PCs from the Computers container to a different OU. As a matter of fact, if possible, you might want to consider modifying your domain structure as you may need to apply policies based off region, or department, or group. So, for example, if you were to create a domain tree by dept, in your main tree (from your scrnshot), you would create an OU named YOURCOMPANY; then, under that you could have OUs for Accounting, Human Resources, etc. Then, under each dept, you can create OUs for Computers and Users and place the PCs/Users for each dept in the Computers and Users OU under their respective dept OU. Make sense?

As you can see, Group Policies are quite powerful. After you get this implemented, I would suggest giving some more thought to how you want your domain be managed, security/policy-wise.

Regards.
~coolsport00

Coolsport00, I only see a default GPO and the one I Created called BFMI, it does not appear my predecessor ever used GPO. Would it be safe for me to copy the computers from the default Computer OU to my Test GPO then simply rename my GPO to another name? I am wondering this now since there does not appear to be any policy. If you look at my last picture you will see what I am talking about.
Both servers here appear to be in the Domain Controller folder, so that being said I would not need to block inheritance, correct?

Yes, it's safe to do that. And yes...since the DC container is 'above' your other OUs/Containers, you are good there...no need to 'Block Inheritence'.

~coolsport00

Maybe I can just apply the changes for my test GPO to the default I do see some GPO settings in place, I was going to edit the default GPO then make some changes to the GPO via GPOE for default policy then these changes in 30 minutes or so would propogate to all workstations, correct? This would prevent me from having to move computers and lose settings as you said before, right?

No...don't 'add' things to your Default Domain Policy or Domain Controller's policies. Change acct logon/pwd type settings to reflect your org's policy, but don't add things to those. The reason is for recoverability, but that's another topic in and of itself. You can research/read more up on Group Policies here: http://www.labutb.falun.se/skolmaterial/Material/LAN/622175.pdf

The main thing is to keep this GPO separate (yes, you can add other settings to it if you have domain-wide changes you want to make). Your Default policies will still be fine. The only way to lose other policies is if your OU is 'above' the Computers container/OU, which it is not. You won't do any harm moving your computers, and I strongly recommend doing so. This also avoids confusion when you add computers to your domain; you will see newly added PCs in the Comp's container.

Okay I undid the changes I made to the default GPO.

My new GPO is BMFI, the default is default.

I am trying to get the entire domain under both of my policies.
So I need to copy all of my computers from the Computer OU container to the New LAN computers and then link both policies to this new OU container, is that correct?

I think I am seeing this now.

So since my test OU falls below the Computers the gpo will trickle down.
So therefore by moving all computers from COMPUTERS to GPO test or wahtever I call it all computers in this gpo test OU will then have the default GPO and my TEST GPO both linked to it, thus doing no harm, is that correct in my understanding?

Yes, then you will have whats called as winning GPO's

You are correct.

I am ahving users who cannot login to the network, there network conenctivity is very slow,and Xp logins take 15 minutes to login.

The rest of the users can log in right away and the system is fast for otehrs. Do yout ihnk GPO could affect this?

No...policies don't disrupt login times, with the exception of software install policies.

Try this setting
Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.
 
http://www.tweakxp.com/article37007.aspx 

I did this on my default GPO, or the new GPO?

Do so on your new GPO since that's where you're doing all this from.

You would need to do it on a GPO that would apply to all computers

I have to XP users who are ntoa ble to login to the network, when they do there system is very slow and unresponsive, does this sound more like a virus?

This thread has become quite long, You might want to open another question as your first issue has been answered.

Agreed. :)

Okay I agree to taht how can I split points, both of you ahve been very helpful, say 300 COlls sport 200 dste?

Split however you feel assistance was provided.

~coolsport00

Is there any way I can just undo my gpo changes?

YOu can 'delete' the GPO from the OU. This does NOT delete the GPO, but removes it from the OU/domain where you have it linked (kind of a misnomer in the operation as you're not "deleting" it per sè, but just removing it).

Does my issue sound like its GPO related?

If you're referring to your 2 XP boxes...no. Again...to troubleshoot that issue, I suggest creating another EE post in the XP zone.

~coolsport00

Very helpfula nd knowledgable.