How can I change all domain computers firewall setting OFF

I am working on a lan where my predecessor left all computers he installed as ahving the firewall setting on. Since all users do not have admin rights on there computers I am forced to manually go and change each one forcing everyone to logoff so I can login as admin.

Isnt there a quicker and more efficient method to do this?

Server 2003 enterprise supports our infrastructure with Vista and XP pro machiens running on the clients.
manelson05Asked:
Who is Participating?
 
coolsport00Connect With a Mentor Commented:
Install GPMC, if you haven't already:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Setup a GPO as 'dstewartjr' suggested to Disable the Firewall. Now, in my org, I have set laptops up a bit different...to Disable the FW while connected to the domain, and Enable it outside of the domain (by configuring the 'Domain Profile' and 'Standard Profile' FW settings respectively).

Just set up the GPO and place a few PCs in a 'test OU' and test your GPO to see if it works (as you should do with all GPOs). It won't 'break' anything (shouldn't). :)

Hope this helps.
Regards,
~coolsport00
0
 
DonNetwork AdministratorCommented:
0
 
manelson05Author Commented:
I also need to enable remote registry, CA will not install unless remote registry is enabled as well.
I am looking at the link now.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
manelson05Author Commented:
There is no GPO setup, I want to set up GPO but do not want to crash anything.

Any ideas?
0
 
DonConnect With a Mentor Network AdministratorCommented:
You can set up both with gpo
 
Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. and then domain profile
 
 remote registry you would
 
computer configuration,windows settings,security settings,system services, set remote registry startup to automatic
0
 
manelson05Author Commented:
Not to sound totally stupid, but this can all be done on the DC right?
I have locekd downa  client computer, disabled registry and enabled firewall I will test there first.

I am downloading the GPMC on the DC and going to create a GPO template on the dc.
0
 
DonNetwork AdministratorCommented:
You can do it from either with the gpmc as long as you are using admin rights
0
 
coolsport00Commented:
You can do it on a DC, or the GPMC can be downloaded on your PC. You will just need to connect it to a DC is all.

~coolsport00
0
 
manelson05Author Commented:
I am not seeing the firewall setting, here is what I see right now.
gpo.bmp
0
 
coolsport00Commented:
You're in the wrong container...it's under Comp Config -> Adm Templ -> Netwk -> Ntwk Conn.
0
 
DonNetwork AdministratorCommented:
This is because you are looking under user config. You need to look under computer config
0
 
manelson05Author Commented:
Sorry, I was in wrong drop down, sorry about that.
0
 
manelson05Author Commented:
I saw that right after I submitted.
Here is what I now have
I have created a OU under my main group called GPO test group.

Can I simply drag and drop a few computers to this group?
This is based on Computer names and not users, right?

gpo-firewall.bmp
0
 
coolsport00Commented:
Yes to both your questions; or right-click your computer(s) and select "Move", then browse to your test OU.

~coolsport00
0
 
manelson05Author Commented:
Okay I moved the computer to the test ou group, does it need to replicate through DC first or is it live right away? I did not see an option to save it in the group policy object editor.

So can I now close this out and go login on my test computer and see if it worked? I purposely turned on the firewall and disabled the remote registry as a admin on that computer, so now I should try to login in and see if these setting changed, correct? User permissions should nto matter as I am just trying to see if the permission changed on that computer correct?
0
 
coolsport00Commented:
Yes, you will need to either wait 30-60mins or...theoretically, if you go to Start -> Run and type in gpupdate /force  it will apply your GPO settings. You may be prompted to either log out or reboot.

Yes, User doesn't apply since it's computer-based.

~coolsport00
0
 
manelson05Author Commented:
How can I make sure that this policy is only applied to the test ou and nto the entire domain?
0
 
manelson05Author Commented:
I forced the update, I hope I did not break anything.
I did not verify on how I would go about testing the new GPO only on my test ou.

Any ideas on that?
0
 
DonNetwork AdministratorCommented:
it should only apply to the computers contained in this ou
0
 
coolsport00Commented:
All you need to do is go into the Control Panel -> Firewall and see if 1. the settings are grayed out and 2. it has the settings you configured in your GPO.
0
 
coolsport00Commented:
In GPMC, right-click on your test OU and select "Link an Existing GPO" and it will be "linked" to only that OU (and sub-OUs, if there are any). The GPO doesn't 'apply' to anywhere in your domain until you "link" it somewhere.
0
 
manelson05Author Commented:
I have my GPO linked to the test ou but Firewall is still enabled and the Remote Registry I disabled still shows as disabled.

Did I do something incorrect? I followed guidance.
0
 
coolsport00Commented:
No...give it 30 mins or so and check it again.
0
 
DonNetwork AdministratorCommented:
since its a computer config you may need to reboot
0
 
manelson05Author Commented:
I checked GPOE and I noticed my changes did not stick?
I do not see how to save this there, under my test ou GPO shows these changes are active?
0
 
manelson05Author Commented:
I am not following how I create a GPO under GPOE then it is applied to a specific OU, I did not save it or anything. When I reopen GPOE I see that all the cahnges I made are all at the default settings. When I look at Group Policy Mgmt I see my TEST OU and my GPO changes I made under a default name.

Is this normal?
0
 
DonNetwork AdministratorCommented:
Run gpupdate /force /boot on test machine and check again
0
 
DonNetwork AdministratorCommented:
Also try running gpresult in a command prompt on test machine
0
 
coolsport00Commented:
Also...give a screenshot of what you're referring to in your GPMC; again, the change may not "take" for a little while. The policy needs to replicate to the DC you're test PC is authenticating to. If that policy isn't replicated to that DC, the settings won't apply.
0
 
manelson05Author Commented:
AWESOME! ! ! It worked.

However, I ran gpupdate /force /boot  and gpresult, no dice, so I rebooted.
I logged in things are greyed out in Firewall and registry is active.

Anyway to run these commands on the entire network to implement?
I am going to move a live computer to the test ou to test again, after I test this second computer can I then move both computers from test ou to primary ou then link my GPO to the main OU?
0
 
manelson05Author Commented:
The second user I added automatically had GPO run on it, so I believe that simply waiting 30 -60 minutes will automatically do it. Since this has worked on two computers, one with XP and one with Vista, is it now safe for me to move the two test computers to the main OU then simply apply my GPO to this OU?

I have 3 servers and a network monitoring system, how would I prevent these form being added?
One server is a DC, one is mail and the other is a DB.

0
 
manelson05Author Commented:
Here is a screen shot of my GPO/ GPMC comparisoon.
I notice the Container for Computers is a default standalone, would it be practical to createa  OU called LAN Computers or the like and then move all computers from the default "computers" to the new OUt called Lan Computers, then link the GPO to the new LAN Computers?
I am wanting to apply changes ASAP so I can roll out new endpoint AV and packages.
gpo-comp.bmp
0
 
coolsport00Commented:
No...you won't have to run those commands on each PC for it to work. We just suggested that to quicken the implementation. Be careful when moving PCs from OU to OU to make sure other Policies aren't "missed", if that makes sense. In other words, I would link any "production GPOs" to your test, to make sure any 'live' PCs you place in your test OU are getting their regular policies, as well.

Group Policies are pretty basic; they can get a bit complicated, when talking about terminal services, loop-back, etc., but that is typically for a more complex environment. So, all that being said, a simple Firewall policy and waiting for replication to occur or rebooting PCs should cause the policy(s) to be applied.

To prevent your servers from getting the policy applied, you could do a couple things, create a GPO for your Servers container (if one isn't already created), and configure the Firewall as you want. OR, you can right-click on the Servers container and select 'Block Inheritance'. What this does is pretty much how it sounds...it blocks any GPOs from higher in your domain tree structure from being applied to lower level OUs/Containers.

And yes, to your last question...I would move all your PCs from the Computers container to a different OU. As a matter of fact, if possible, you might want to consider modifying your domain structure as you may need to apply policies based off region, or department, or group. So, for example, if you were to create a domain tree by dept, in your main tree (from your scrnshot), you would create an OU named YOURCOMPANY; then, under that you could have OUs for Accounting, Human Resources, etc. Then, under each dept, you can create OUs for Computers and Users and place the PCs/Users for each dept in the Computers and Users OU under their respective dept OU. Make sense?

As you can see, Group Policies are quite powerful. After you get this implemented, I would suggest giving some more thought to how you want your domain be managed, security/policy-wise.

Regards.
~coolsport00
0
 
manelson05Author Commented:
Coolsport00, I only see a default GPO and the one I Created called BFMI, it does not appear my predecessor ever used GPO. Would it be safe for me to copy the computers from the default Computer OU to my Test GPO then simply rename my GPO to another name? I am wondering this now since there does not appear to be any policy. If you look at my last picture you will see what I am talking about.
Both servers here appear to be in the Domain Controller folder, so that being said I would not need to block inheritance, correct?
0
 
coolsport00Commented:
Yes, it's safe to do that. And yes...since the DC container is 'above' your other OUs/Containers, you are good there...no need to 'Block Inheritence'.

~coolsport00
0
 
manelson05Author Commented:
Maybe I can just apply the changes for my test GPO to the default I do see some GPO settings in place, I was going to edit the default GPO then make some changes to the GPO via GPOE for default policy then these changes in 30 minutes or so would propogate to all workstations, correct? This would prevent me from having to move computers and lose settings as you said before, right?
0
 
coolsport00Commented:
No...don't 'add' things to your Default Domain Policy or Domain Controller's policies. Change acct logon/pwd type settings to reflect your org's policy, but don't add things to those. The reason is for recoverability, but that's another topic in and of itself. You can research/read more up on Group Policies here: http://www.labutb.falun.se/skolmaterial/Material/LAN/622175.pdf

The main thing is to keep this GPO separate (yes, you can add other settings to it if you have domain-wide changes you want to make). Your Default policies will still be fine. The only way to lose other policies is if your OU is 'above' the Computers container/OU, which it is not. You won't do any harm moving your computers, and I strongly recommend doing so. This also avoids confusion when you add computers to your domain; you will see newly added PCs in the Comp's container.
0
 
manelson05Author Commented:
Okay I undid the changes I made to the default GPO.

My new GPO is BMFI, the default is default.

I am trying to get the entire domain under both of my policies.
So I need to copy all of my computers from the Computer OU container to the New LAN computers and then link both policies to this new OU container, is that correct?
0
 
manelson05Author Commented:
I think I am seeing this now.

So since my test OU falls below the Computers the gpo will trickle down.
So therefore by moving all computers from COMPUTERS to GPO test or wahtever I call it all computers in this gpo test OU will then have the default GPO and my TEST GPO both linked to it, thus doing no harm, is that correct in my understanding?
0
 
DonNetwork AdministratorCommented:
Yes, then you will have whats called as winning GPO's
0
 
coolsport00Commented:
You are correct.
0
 
manelson05Author Commented:
I am ahving users who cannot login to the network, there network conenctivity is very slow,and Xp logins take 15 minutes to login.

The rest of the users can log in right away and the system is fast for otehrs. Do yout ihnk GPO could affect this?
0
 
coolsport00Commented:
No...policies don't disrupt login times, with the exception of software install policies.
0
 
DonNetwork AdministratorCommented:
Try this setting
Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.
 
http://www.tweakxp.com/article37007.aspx 
0
 
manelson05Author Commented:
I did this on my default GPO, or the new GPO?
0
 
coolsport00Commented:
Do so on your new GPO since that's where you're doing all this from.
0
 
DonNetwork AdministratorCommented:
You would need to do it on a GPO that would apply to all computers
0
 
manelson05Author Commented:
I have to XP users who are ntoa ble to login to the network, when they do there system is very slow and unresponsive, does this sound more like a virus?
0
 
DonNetwork AdministratorCommented:
This thread has become quite long, You might want to open another question as your first issue has been answered.
0
 
coolsport00Commented:
Agreed. :)
0
 
manelson05Author Commented:
Okay I agree to taht how can I split points, both of you ahve been very helpful, say 300 COlls sport 200 dste?
0
 
coolsport00Commented:
Split however you feel assistance was provided.

~coolsport00
0
 
manelson05Author Commented:
Is there any way I can just undo my gpo changes?
0
 
coolsport00Commented:
YOu can 'delete' the GPO from the OU. This does NOT delete the GPO, but removes it from the OU/domain where you have it linked (kind of a misnomer in the operation as you're not "deleting" it per sè, but just removing it).
0
 
manelson05Author Commented:
Does my issue sound like its GPO related?
0
 
coolsport00Commented:
If you're referring to your 2 XP boxes...no. Again...to troubleshoot that issue, I suggest creating another EE post in the XP zone.

~coolsport00
0
 
manelson05Author Commented:
Very helpfula nd knowledgable.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.