Solved

Force a group policy (disable workstation firewalls) to take effect - how?

Posted on 2010-09-04
17
1,334 Views
Last Modified: 2012-06-21
This weekend I have to roll out ESET Nod32 anti virus to about 50 workstations and I'm using the push option to achieve this.
The push option requires that the firewall is disabled and this client just uses XP windows firewall on each PC. (Server is Windows 2003 and Exhcnage 2003)

In active directory I created a OU that has the policy of firewall being disabled (Ive not really used group policy much) and my plan was to just drag workstations into the no firewall OU, push out the NOD32 software and then once installed put back the firewall on the workstations by removing them out of the no firwall OU.

However I notice that the group policy changes are not immediate.  How can I force them to be applied to the workstaion and in addition is there any insignts or comments about this method I am using.

Many thanks in advance.
0
Comment
Question by:afflik1923
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 27

Accepted Solution

by:
davorin earned 251 total points
Comment Utility
you can use gpupdate /force at command prompt, but you will have to log in again to take effect. Other option is to restart computer.
0
 
LVL 27

Assisted Solution

by:davorin
davorin earned 251 total points
Comment Utility
Well you can also try connect to that computers remotely over computer manager and stop windows firewall service. I think this will be faster than applying group policy, restarting,...
0
 

Author Comment

by:afflik1923
Comment Utility
hmmmm. is gpupdate done on server or workstation. If workstation then it is easier to disable the fireall manually as I log into each PC.

If I don't update or don't restart the workstataion, how long likely before no frewall takes effect?
0
 
LVL 27

Assisted Solution

by:davorin
davorin earned 251 total points
Comment Utility
You must run gpupdate on each workstation.
Group policy refresh takes place every 90-120 minutes. But not all policies are refreshed during background refresh. I'm not sure about FW.
http://msdn.microsoft.com/en-us/library/aa373482(VS.85).aspx
0
 
LVL 12

Expert Comment

by:Rant32
Comment Utility
Doesn't this require a more permanent solution to the client firewall configuration? Isn't there some administration console with NOD that needs to contact the clients, to manage your AV? How about new clients or re-deployments?

If you have the option, I'd consider adding a File- and Printer sharing exception for the deployment server, and adding port exception(s) so the AV client can be managed from the console.
0
 
LVL 27

Expert Comment

by:davorin
Comment Utility
NOD32 requires disabled firewall only at installation. I had never investigated what ports does it need, because after installation NOD32 runs fine with firewall on.
0
 
LVL 12

Expert Comment

by:Rant32
Comment Utility
The LAN Update Server seems to be the only component that wants to contact the client (port 8081 default). But that's probably optional for a working deployment. Deployment requires access to the ADMIN$ share.

AFAIK, if the firewall gets disabled with gpupdate, then it will disable with a background policy refresh.

You may temporarily want to turn down the GP Update refresh interval (to 5 minutes or so) before moving clients to the No Firewall OU, so they pick up the new policy faster after moving them and back.
0
 
LVL 26

Assisted Solution

by:MidnightOne
MidnightOne earned 83 total points
Comment Utility
Psexec can also do this. Log on to the DC with a doman admin account. Install PsTools (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx) then from a command prompt enter psexec \\* "gpupdate /force" - this should force all systems to update.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 5

Assisted Solution

by:EnriquePhoenix
EnriquePhoenix earned 83 total points
Comment Utility
I would use the netsh to disable the firewall temporarily.
The psexec command to disable/enable firewall is: netsh firewall set opmode mode = disable
To enable run: netsh firewall set opmode mode = enable
This will ensure that it is off and you wont have to wait. Tho I think you have to reboot with GPO to get the firewall to turn off I never had any luck with GPUPDATE. Does somebody know this for sure?
0
 
LVL 1

Assisted Solution

by:paulms53
paulms53 earned 83 total points
Comment Utility
you can use psexec to execute the command, for multiple workstations, i recommend doing the following:

1. run net view
2. copy and paste all computer names (without \\) to a txt file (call it clients.txt, make sure to filter out workstations in the OU you want this to affect)
3. psexec @file:c:\clients.txt gpupdate /force
0
 

Author Comment

by:afflik1923
Comment Utility
Whoops. That was meant to be points I was awarding. don't get that as it had gradings

right how can I clean this up?
0
 

Author Comment

by:afflik1923
Comment Utility
object
0
 

Author Comment

by:afflik1923
Comment Utility
errr, somthing weird is going on. when I try and award points it posts an objection. I'm confused?
0
 
LVL 27

Expert Comment

by:davorin
Comment Utility
EE has some problems with accepting more answers with splitting points lately.
0
 

Author Comment

by:afflik1923
Comment Utility
what should I do?
0
 
LVL 27

Expert Comment

by:davorin
Comment Utility
You already posted request for attention. I hope everything will be closed correctly in 4 days -  automaticy. And I hope the problem will be corrected soon.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now