Remote Mangement - Windows 7. WIndows 2008 Domain

I need a way to remotely turn off the windows firewall on WIndows 7 systems joined to the domain. I have about 100 systems and may of them are working correctly however some of them just will not apply the gpupdate - I cannot check anymore beucase the stupid windows firewall will not shut off.

I use psexec to remotely manage machines but cannot login beucase the username and password keeps failing (domain joined pc) - the username and password is correct.

I normally use SPECOPS gpudpate etc to update the group policy but beucase of the changes made to windows 7 security that no longer works - thanks ms.

At this point in need a solution that works, as i ahev already googled and not getting great rsults.

LVL 6
castellansolutionsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mark1208Commented:
Kinda kludgy, but if you have the hostnames of the systems in question you could use Excel to quickly generate a batch file with the remote netsh syntax below. You'll just need to run it with Domain Admin privs. Output captured in netshresults.txt

netsh -r hostname advfirewall set currentprofile state off >> netshresults.txt

See http://support.microsoft.com/kb/947709 for more info.

That help?
-Mark
0
mark1208Commented:
Apologies for the duplicate post. You may want to use this instead, that way the firewall is disabled across all network profiles and not just the current one:
netsh -r hostname advfirewall set allprofiles state off >> netshresults.txt
0
castellansolutionsAuthor Commented:
i tried a similar command before but will use yours in the future...

the client that were doing the migration for has decided that he is "DNS Certified" so despite my telling him 20+ times dont screw with WIndows 7's CLient dns settings - he changed them on about 15 machines to public ip's.

I have the localusername and password each system, and thats really where i need the help beucase each time client decides to "Work on DNS" - odd problems arise...

SO do you know how to do the above with the localusername and opassword? (localuser and passis the same for each system)


0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

mark1208Commented:
Try this out?

netsh -r <hostname> -u <localusernamewithAdminprivs> -p <password> advfirewall  set allprofiles state off  >> netshresults.txt
0
castellansolutionsAuthor Commented:
This actually did not work for me, if the windows firewall is already turned on. Am ifighting a losing battle here? I was able (under xp) to turn off the firewall remotely (domain pc) but not with 7.

0
IBeSmittyCommented:
Hi there,

Sorry I don't know how to do a proper link to a previous post here on EE.  If you search for a post called "Report to show User Templates path" you will find my write up on setting up PowerShell to do remote computer management.  I tested this and was able to disable a Windows 7 firewall using the netsh command provided by Mark1208.  I also tried running the given netsh commands without the remote features of PowerShell and also was unable to make a connection.  I’ll dig a bit more and see if I can find anything else.  If I do, I’ll post back here.  But this might get you going in the mean time.  Feel free to post questions about the setup, etc.

Just realized you mentioned Domain computers.  My testing was not done with Domains, just a Windows Workgroup.  It still might be an option for you, though.  I’ll post if I can find anything else for doing this.

Jason
0
mark1208Commented:
Hmmm ... this should work regardless of the state of the firewall being off or on. Based on the attached, I was able to start with the firewall on, run the netsh command as provided above, then verify that it was turned off across all profiles.

Is group policy perhaps getting in the way? Are you seeing similar behavior across both types of clients--those that successfully inherited GPO and those that did not?

Hang in there!
-Mark



wfON.png
wfOFF.png
0
mark1208Commented:
FYI ... link to Jason's (IBeSmitty) post on PowerShell is here (PAQ 25891173): http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_25891173.html
0
IBeSmittyCommented:
Thanks Mark1208 for the link.
Jason
0
mark1208Commented:
FWIW, it looks like GPO settings take precedence over netsh. Testing in a domain environment with Win7 Enterprise, I configured Windows Firewall to be off across all three profile types (Domain, Private, and Public) ... see attached.

I then attempted to turn the Windows Firewall ON, using netsh from the command line. It reported "Ok."; however, the firewall was still off when viewed from Control Panel. This is a good thing ... except in your scenario where the GPO application is inconsistent.  :)

Group policy really is the way to go here, so that any future Windows 7 clients joined to the domain inherit appropriate settings without having to be manually tweaked. Not to mention it allows you to configure clients at a deeper level than what netsh or other remote options (PsExec) allow for (turn off notifications when WF is disabled, etc.).

Perhaps the best course of action is to troubleshoot why these workstations aren't picking up GPOs as intended? Hint, hint.

-Mark

WFgpo.png
netshinconsistency.png
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mark1208Commented:
Oops! Missed a screenshot in that last post.

WFcontrolpanel.png
0
castellansolutionsAuthor Commented:
Ok, Great! Thanks for all your replies. I will test somemore and see where it takes me.
0
mark1208Commented:
Hi Castellan...

Just following up to see how your testing is going and to make sure that you received the support needed. Anything further I can help with?  :)

Thanks,
Mark
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.