sbs2008 gpo vs firewall on win7

we have a client who has a default setup of sbs2008.

we have configured some settings in the gpo for windows firewall, and they were happy with it.  now they need to make it so the laptops that are domain members can change their firewall on or off.  currently, it's greyed out.

i went back into the gpo and set every single windows firewall option for "vista" and "xp" to "not configured", rebooted the server, rebooted the workstations, but the firewall option is still greyed out on the workstations/laptops

i did run gpupdate /force on the workstations, it made them log out, yes, logged back in, cant change firewall

in the gpo i see settings for vista, and settings for xp, but i dont see a windows 7... but, a win7 laptop picked it up anyway and the firewall is unable to be changed.

the users are logging in as local administrators. meaning,  domain\username is a member of the local computer\administrators

on the 7 box, user account control is turned off

to summarize my questions:
1. where exactly in the sbs2008 gpo do i need to adjust so the laptops/workstations can edit their own local firewall?
2. how can i add the win7 stuff to the gpo?

LVL 24
B HAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It is greyed out because the firewall forms part of a group policy that is applied to all computers.
I would advise you to take the firewall settings and put them into a dedicated GPO if they aren't already.
Next, make all the laptops a member of a group (i.e. comp_laptops).  On the firewall GPO, add the group you created and block the group from reading the policy - this will prevent the GPO from applying and should allow laptop users to change the configuration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
B HAuthor Commented:
hmm, ok

the firewall gpo appears to be its own individual gpo, among a list of other ones created by sbs2008 i assume, since i didnt create them

going with the group, and blocking them on the firewall policy sounds like the way to go, i'll go do that and report back in a few hours
B HAuthor Commented:
ended up just editing the policy completely to allow the workstations to control it themselves... couldnt get it to go per group :/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.