[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 387
  • Last Modified:

sbs2008 gpo vs firewall on win7

we have a client who has a default setup of sbs2008.

we have configured some settings in the gpo for windows firewall, and they were happy with it.  now they need to make it so the laptops that are domain members can change their firewall on or off.  currently, it's greyed out.

i went back into the gpo and set every single windows firewall option for "vista" and "xp" to "not configured", rebooted the server, rebooted the workstations, but the firewall option is still greyed out on the workstations/laptops

i did run gpupdate /force on the workstations, it made them log out, yes, logged back in, cant change firewall

in the gpo i see settings for vista, and settings for xp, but i dont see a windows 7... but, a win7 laptop picked it up anyway and the firewall is unable to be changed.

the users are logging in as local administrators. meaning,  domain\username is a member of the local computer\administrators

on the 7 box, user account control is turned off

to summarize my questions:
1. where exactly in the sbs2008 gpo do i need to adjust so the laptops/workstations can edit their own local firewall?
2. how can i add the win7 stuff to the gpo?

0
B H
Asked:
B H
  • 2
1 Solution
 
jakethecatukCommented:
It is greyed out because the firewall forms part of a group policy that is applied to all computers.
I would advise you to take the firewall settings and put them into a dedicated GPO if they aren't already.
Next, make all the laptops a member of a group (i.e. comp_laptops).  On the firewall GPO, add the group you created and block the group from reading the policy - this will prevent the GPO from applying and should allow laptop users to change the configuration.
0
 
B HAuthor Commented:
hmm, ok

the firewall gpo appears to be its own individual gpo, among a list of other ones created by sbs2008 i assume, since i didnt create them

going with the group, and blocking them on the firewall policy sounds like the way to go, i'll go do that and report back in a few hours
0
 
B HAuthor Commented:
ended up just editing the policy completely to allow the workstations to control it themselves... couldnt get it to go per group :/
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now