?
Solved

How can I change all domain computers firewall setting OFF

Posted on 2009-04-15
57
Medium Priority
?
236 Views
Last Modified: 2012-05-06
I am working on a lan where my predecessor left all computers he installed as ahving the firewall setting on. Since all users do not have admin rights on there computers I am forced to manually go and change each one forcing everyone to logoff so I can login as admin.

Isnt there a quicker and more efficient method to do this?

Server 2003 enterprise supports our infrastructure with Vista and XP pro machiens running on the clients.
0
Comment
Question by:manelson05
  • 26
  • 19
  • 12
57 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24150869
0
 

Author Comment

by:manelson05
ID: 24151098
I also need to enable remote registry, CA will not install unless remote registry is enabled as well.
I am looking at the link now.
0
 

Author Comment

by:manelson05
ID: 24151110
There is no GPO setup, I want to set up GPO but do not want to crash anything.

Any ideas?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 800 total points
ID: 24151196
You can set up both with gpo
 
Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. and then domain profile
 
 remote registry you would
 
computer configuration,windows settings,security settings,system services, set remote registry startup to automatic
0
 
LVL 40

Accepted Solution

by:
coolsport00 earned 1200 total points
ID: 24151213
Install GPMC, if you haven't already:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Setup a GPO as 'dstewartjr' suggested to Disable the Firewall. Now, in my org, I have set laptops up a bit different...to Disable the FW while connected to the domain, and Enable it outside of the domain (by configuring the 'Domain Profile' and 'Standard Profile' FW settings respectively).

Just set up the GPO and place a few PCs in a 'test OU' and test your GPO to see if it works (as you should do with all GPOs). It won't 'break' anything (shouldn't). :)

Hope this helps.
Regards,
~coolsport00
0
 

Author Comment

by:manelson05
ID: 24151537
Not to sound totally stupid, but this can all be done on the DC right?
I have locekd downa  client computer, disabled registry and enabled firewall I will test there first.

I am downloading the GPMC on the DC and going to create a GPO template on the dc.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24151575
You can do it from either with the gpmc as long as you are using admin rights
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24151585
You can do it on a DC, or the GPMC can be downloaded on your PC. You will just need to connect it to a DC is all.

~coolsport00
0
 

Author Comment

by:manelson05
ID: 24151778
I am not seeing the firewall setting, here is what I see right now.
gpo.bmp
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24151794
You're in the wrong container...it's under Comp Config -> Adm Templ -> Netwk -> Ntwk Conn.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24151799
This is because you are looking under user config. You need to look under computer config
0
 

Author Comment

by:manelson05
ID: 24151803
Sorry, I was in wrong drop down, sorry about that.
0
 

Author Comment

by:manelson05
ID: 24151937
I saw that right after I submitted.
Here is what I now have
I have created a OU under my main group called GPO test group.

Can I simply drag and drop a few computers to this group?
This is based on Computer names and not users, right?

gpo-firewall.bmp
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24151951
Yes to both your questions; or right-click your computer(s) and select "Move", then browse to your test OU.

~coolsport00
0
 

Author Comment

by:manelson05
ID: 24151984
Okay I moved the computer to the test ou group, does it need to replicate through DC first or is it live right away? I did not see an option to save it in the group policy object editor.

So can I now close this out and go login on my test computer and see if it worked? I purposely turned on the firewall and disabled the remote registry as a admin on that computer, so now I should try to login in and see if these setting changed, correct? User permissions should nto matter as I am just trying to see if the permission changed on that computer correct?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24151999
Yes, you will need to either wait 30-60mins or...theoretically, if you go to Start -> Run and type in gpupdate /force  it will apply your GPO settings. You may be prompted to either log out or reboot.

Yes, User doesn't apply since it's computer-based.

~coolsport00
0
 

Author Comment

by:manelson05
ID: 24152033
How can I make sure that this policy is only applied to the test ou and nto the entire domain?
0
 

Author Comment

by:manelson05
ID: 24152043
I forced the update, I hope I did not break anything.
I did not verify on how I would go about testing the new GPO only on my test ou.

Any ideas on that?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24152052
it should only apply to the computers contained in this ou
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24152065
All you need to do is go into the Control Panel -> Firewall and see if 1. the settings are grayed out and 2. it has the settings you configured in your GPO.
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24152083
In GPMC, right-click on your test OU and select "Link an Existing GPO" and it will be "linked" to only that OU (and sub-OUs, if there are any). The GPO doesn't 'apply' to anywhere in your domain until you "link" it somewhere.
0
 

Author Comment

by:manelson05
ID: 24152161
I have my GPO linked to the test ou but Firewall is still enabled and the Remote Registry I disabled still shows as disabled.

Did I do something incorrect? I followed guidance.
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24152180
No...give it 30 mins or so and check it again.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24152187
since its a computer config you may need to reboot
0
 

Author Comment

by:manelson05
ID: 24152206
I checked GPOE and I noticed my changes did not stick?
I do not see how to save this there, under my test ou GPO shows these changes are active?
0
 

Author Comment

by:manelson05
ID: 24152259
I am not following how I create a GPO under GPOE then it is applied to a specific OU, I did not save it or anything. When I reopen GPOE I see that all the cahnges I made are all at the default settings. When I look at Group Policy Mgmt I see my TEST OU and my GPO changes I made under a default name.

Is this normal?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24152264
Run gpupdate /force /boot on test machine and check again
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24152278
Also try running gpresult in a command prompt on test machine
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24152299
Also...give a screenshot of what you're referring to in your GPMC; again, the change may not "take" for a little while. The policy needs to replicate to the DC you're test PC is authenticating to. If that policy isn't replicated to that DC, the settings won't apply.
0
 

Author Comment

by:manelson05
ID: 24152386
AWESOME! ! ! It worked.

However, I ran gpupdate /force /boot  and gpresult, no dice, so I rebooted.
I logged in things are greyed out in Firewall and registry is active.

Anyway to run these commands on the entire network to implement?
I am going to move a live computer to the test ou to test again, after I test this second computer can I then move both computers from test ou to primary ou then link my GPO to the main OU?
0
 

Author Comment

by:manelson05
ID: 24152934
The second user I added automatically had GPO run on it, so I believe that simply waiting 30 -60 minutes will automatically do it. Since this has worked on two computers, one with XP and one with Vista, is it now safe for me to move the two test computers to the main OU then simply apply my GPO to this OU?

I have 3 servers and a network monitoring system, how would I prevent these form being added?
One server is a DC, one is mail and the other is a DB.

0
 

Author Comment

by:manelson05
ID: 24153056
Here is a screen shot of my GPO/ GPMC comparisoon.
I notice the Container for Computers is a default standalone, would it be practical to createa  OU called LAN Computers or the like and then move all computers from the default "computers" to the new OUt called Lan Computers, then link the GPO to the new LAN Computers?
I am wanting to apply changes ASAP so I can roll out new endpoint AV and packages.
gpo-comp.bmp
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24153280
No...you won't have to run those commands on each PC for it to work. We just suggested that to quicken the implementation. Be careful when moving PCs from OU to OU to make sure other Policies aren't "missed", if that makes sense. In other words, I would link any "production GPOs" to your test, to make sure any 'live' PCs you place in your test OU are getting their regular policies, as well.

Group Policies are pretty basic; they can get a bit complicated, when talking about terminal services, loop-back, etc., but that is typically for a more complex environment. So, all that being said, a simple Firewall policy and waiting for replication to occur or rebooting PCs should cause the policy(s) to be applied.

To prevent your servers from getting the policy applied, you could do a couple things, create a GPO for your Servers container (if one isn't already created), and configure the Firewall as you want. OR, you can right-click on the Servers container and select 'Block Inheritance'. What this does is pretty much how it sounds...it blocks any GPOs from higher in your domain tree structure from being applied to lower level OUs/Containers.

And yes, to your last question...I would move all your PCs from the Computers container to a different OU. As a matter of fact, if possible, you might want to consider modifying your domain structure as you may need to apply policies based off region, or department, or group. So, for example, if you were to create a domain tree by dept, in your main tree (from your scrnshot), you would create an OU named YOURCOMPANY; then, under that you could have OUs for Accounting, Human Resources, etc. Then, under each dept, you can create OUs for Computers and Users and place the PCs/Users for each dept in the Computers and Users OU under their respective dept OU. Make sense?

As you can see, Group Policies are quite powerful. After you get this implemented, I would suggest giving some more thought to how you want your domain be managed, security/policy-wise.

Regards.
~coolsport00
0
 

Author Comment

by:manelson05
ID: 24156937
Coolsport00, I only see a default GPO and the one I Created called BFMI, it does not appear my predecessor ever used GPO. Would it be safe for me to copy the computers from the default Computer OU to my Test GPO then simply rename my GPO to another name? I am wondering this now since there does not appear to be any policy. If you look at my last picture you will see what I am talking about.
Both servers here appear to be in the Domain Controller folder, so that being said I would not need to block inheritance, correct?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24156961
Yes, it's safe to do that. And yes...since the DC container is 'above' your other OUs/Containers, you are good there...no need to 'Block Inheritence'.

~coolsport00
0
 

Author Comment

by:manelson05
ID: 24156970
Maybe I can just apply the changes for my test GPO to the default I do see some GPO settings in place, I was going to edit the default GPO then make some changes to the GPO via GPOE for default policy then these changes in 30 minutes or so would propogate to all workstations, correct? This would prevent me from having to move computers and lose settings as you said before, right?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24157109
No...don't 'add' things to your Default Domain Policy or Domain Controller's policies. Change acct logon/pwd type settings to reflect your org's policy, but don't add things to those. The reason is for recoverability, but that's another topic in and of itself. You can research/read more up on Group Policies here: http://www.labutb.falun.se/skolmaterial/Material/LAN/622175.pdf

The main thing is to keep this GPO separate (yes, you can add other settings to it if you have domain-wide changes you want to make). Your Default policies will still be fine. The only way to lose other policies is if your OU is 'above' the Computers container/OU, which it is not. You won't do any harm moving your computers, and I strongly recommend doing so. This also avoids confusion when you add computers to your domain; you will see newly added PCs in the Comp's container.
0
 

Author Comment

by:manelson05
ID: 24157978
Okay I undid the changes I made to the default GPO.

My new GPO is BMFI, the default is default.

I am trying to get the entire domain under both of my policies.
So I need to copy all of my computers from the Computer OU container to the New LAN computers and then link both policies to this new OU container, is that correct?
0
 

Author Comment

by:manelson05
ID: 24158002
I think I am seeing this now.

So since my test OU falls below the Computers the gpo will trickle down.
So therefore by moving all computers from COMPUTERS to GPO test or wahtever I call it all computers in this gpo test OU will then have the default GPO and my TEST GPO both linked to it, thus doing no harm, is that correct in my understanding?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24158046
Yes, then you will have whats called as winning GPO's
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24159068
You are correct.
0
 

Author Comment

by:manelson05
ID: 24160247
I am ahving users who cannot login to the network, there network conenctivity is very slow,and Xp logins take 15 minutes to login.

The rest of the users can log in right away and the system is fast for otehrs. Do yout ihnk GPO could affect this?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24160263
No...policies don't disrupt login times, with the exception of software install policies.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24160287
Try this setting
Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.
 
http://www.tweakxp.com/article37007.aspx 
0
 

Author Comment

by:manelson05
ID: 24160445
I did this on my default GPO, or the new GPO?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24160455
Do so on your new GPO since that's where you're doing all this from.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24160465
You would need to do it on a GPO that would apply to all computers
0
 

Author Comment

by:manelson05
ID: 24160562
I have to XP users who are ntoa ble to login to the network, when they do there system is very slow and unresponsive, does this sound more like a virus?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24160717
This thread has become quite long, You might want to open another question as your first issue has been answered.
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24160734
Agreed. :)
0
 

Author Comment

by:manelson05
ID: 24160825
Okay I agree to taht how can I split points, both of you ahve been very helpful, say 300 COlls sport 200 dste?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24160840
Split however you feel assistance was provided.

~coolsport00
0
 

Author Comment

by:manelson05
ID: 24160867
Is there any way I can just undo my gpo changes?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24160885
YOu can 'delete' the GPO from the OU. This does NOT delete the GPO, but removes it from the OU/domain where you have it linked (kind of a misnomer in the operation as you're not "deleting" it per sè, but just removing it).
0
 

Author Comment

by:manelson05
ID: 24160934
Does my issue sound like its GPO related?
0
 
LVL 40

Expert Comment

by:coolsport00
ID: 24161073
If you're referring to your 2 XP boxes...no. Again...to troubleshoot that issue, I suggest creating another EE post in the XP zone.

~coolsport00
0
 

Author Closing Comment

by:manelson05
ID: 31570606
Very helpfula nd knowledgable.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question