• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1401
  • Last Modified:

Force a group policy (disable workstation firewalls) to take effect - how?

This weekend I have to roll out ESET Nod32 anti virus to about 50 workstations and I'm using the push option to achieve this.
The push option requires that the firewall is disabled and this client just uses XP windows firewall on each PC. (Server is Windows 2003 and Exhcnage 2003)

In active directory I created a OU that has the policy of firewall being disabled (Ive not really used group policy much) and my plan was to just drag workstations into the no firewall OU, push out the NOD32 software and then once installed put back the firewall on the workstations by removing them out of the no firwall OU.

However I notice that the group policy changes are not immediate.  How can I force them to be applied to the workstaion and in addition is there any insignts or comments about this method I am using.

Many thanks in advance.
0
afflik1923
Asked:
afflik1923
  • 6
  • 5
  • 2
  • +3
6 Solutions
 
davorinCommented:
you can use gpupdate /force at command prompt, but you will have to log in again to take effect. Other option is to restart computer.
0
 
davorinCommented:
Well you can also try connect to that computers remotely over computer manager and stop windows firewall service. I think this will be faster than applying group policy, restarting,...
0
 
afflik1923Author Commented:
hmmmm. is gpupdate done on server or workstation. If workstation then it is easier to disable the fireall manually as I log into each PC.

If I don't update or don't restart the workstataion, how long likely before no frewall takes effect?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
davorinCommented:
You must run gpupdate on each workstation.
Group policy refresh takes place every 90-120 minutes. But not all policies are refreshed during background refresh. I'm not sure about FW.
http://msdn.microsoft.com/en-us/library/aa373482(VS.85).aspx
0
 
Rant32Commented:
Doesn't this require a more permanent solution to the client firewall configuration? Isn't there some administration console with NOD that needs to contact the clients, to manage your AV? How about new clients or re-deployments?

If you have the option, I'd consider adding a File- and Printer sharing exception for the deployment server, and adding port exception(s) so the AV client can be managed from the console.
0
 
davorinCommented:
NOD32 requires disabled firewall only at installation. I had never investigated what ports does it need, because after installation NOD32 runs fine with firewall on.
0
 
Rant32Commented:
The LAN Update Server seems to be the only component that wants to contact the client (port 8081 default). But that's probably optional for a working deployment. Deployment requires access to the ADMIN$ share.

AFAIK, if the firewall gets disabled with gpupdate, then it will disable with a background policy refresh.

You may temporarily want to turn down the GP Update refresh interval (to 5 minutes or so) before moving clients to the No Firewall OU, so they pick up the new policy faster after moving them and back.
0
 
MidnightOneCommented:
Psexec can also do this. Log on to the DC with a doman admin account. Install PsTools (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx) then from a command prompt enter psexec \\* "gpupdate /force" - this should force all systems to update.
0
 
EnriquePhoenixCommented:
I would use the netsh to disable the firewall temporarily.
The psexec command to disable/enable firewall is: netsh firewall set opmode mode = disable
To enable run: netsh firewall set opmode mode = enable
This will ensure that it is off and you wont have to wait. Tho I think you have to reboot with GPO to get the firewall to turn off I never had any luck with GPUPDATE. Does somebody know this for sure?
0
 
paulms53Commented:
you can use psexec to execute the command, for multiple workstations, i recommend doing the following:

1. run net view
2. copy and paste all computer names (without \\) to a txt file (call it clients.txt, make sure to filter out workstations in the OU you want this to affect)
3. psexec @file:c:\clients.txt gpupdate /force
0
 
afflik1923Author Commented:
Whoops. That was meant to be points I was awarding. don't get that as it had gradings

right how can I clean this up?
0
 
afflik1923Author Commented:
object
0
 
afflik1923Author Commented:
errr, somthing weird is going on. when I try and award points it posts an objection. I'm confused?
0
 
davorinCommented:
EE has some problems with accepting more answers with splitting points lately.
0
 
afflik1923Author Commented:
what should I do?
0
 
davorinCommented:
You already posted request for attention. I hope everything will be closed correctly in 4 days -  automaticy. And I hope the problem will be corrected soon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 6
  • 5
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now