Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Force a group policy (disable workstation firewalls) to take effect - how?

Posted on 2010-09-04
17
Medium Priority
?
1,362 Views
Last Modified: 2012-06-21
This weekend I have to roll out ESET Nod32 anti virus to about 50 workstations and I'm using the push option to achieve this.
The push option requires that the firewall is disabled and this client just uses XP windows firewall on each PC. (Server is Windows 2003 and Exhcnage 2003)

In active directory I created a OU that has the policy of firewall being disabled (Ive not really used group policy much) and my plan was to just drag workstations into the no firewall OU, push out the NOD32 software and then once installed put back the firewall on the workstations by removing them out of the no firwall OU.

However I notice that the group policy changes are not immediate.  How can I force them to be applied to the workstaion and in addition is there any insignts or comments about this method I am using.

Many thanks in advance.
0
Comment
Question by:afflik1923
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 27

Accepted Solution

by:
davorin earned 1004 total points
ID: 33602349
you can use gpupdate /force at command prompt, but you will have to log in again to take effect. Other option is to restart computer.
0
 
LVL 27

Assisted Solution

by:davorin
davorin earned 1004 total points
ID: 33602362
Well you can also try connect to that computers remotely over computer manager and stop windows firewall service. I think this will be faster than applying group policy, restarting,...
0
 

Author Comment

by:afflik1923
ID: 33602365
hmmmm. is gpupdate done on server or workstation. If workstation then it is easier to disable the fireall manually as I log into each PC.

If I don't update or don't restart the workstataion, how long likely before no frewall takes effect?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Assisted Solution

by:davorin
davorin earned 1004 total points
ID: 33602439
You must run gpupdate on each workstation.
Group policy refresh takes place every 90-120 minutes. But not all policies are refreshed during background refresh. I'm not sure about FW.
http://msdn.microsoft.com/en-us/library/aa373482(VS.85).aspx
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33603007
Doesn't this require a more permanent solution to the client firewall configuration? Isn't there some administration console with NOD that needs to contact the clients, to manage your AV? How about new clients or re-deployments?

If you have the option, I'd consider adding a File- and Printer sharing exception for the deployment server, and adding port exception(s) so the AV client can be managed from the console.
0
 
LVL 27

Expert Comment

by:davorin
ID: 33603045
NOD32 requires disabled firewall only at installation. I had never investigated what ports does it need, because after installation NOD32 runs fine with firewall on.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33603135
The LAN Update Server seems to be the only component that wants to contact the client (port 8081 default). But that's probably optional for a working deployment. Deployment requires access to the ADMIN$ share.

AFAIK, if the firewall gets disabled with gpupdate, then it will disable with a background policy refresh.

You may temporarily want to turn down the GP Update refresh interval (to 5 minutes or so) before moving clients to the No Firewall OU, so they pick up the new policy faster after moving them and back.
0
 
LVL 26

Assisted Solution

by:MidnightOne
MidnightOne earned 332 total points
ID: 33603303
Psexec can also do this. Log on to the DC with a doman admin account. Install PsTools (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx) then from a command prompt enter psexec \\* "gpupdate /force" - this should force all systems to update.
0
 
LVL 5

Assisted Solution

by:EnriquePhoenix
EnriquePhoenix earned 332 total points
ID: 33605071
I would use the netsh to disable the firewall temporarily.
The psexec command to disable/enable firewall is: netsh firewall set opmode mode = disable
To enable run: netsh firewall set opmode mode = enable
This will ensure that it is off and you wont have to wait. Tho I think you have to reboot with GPO to get the firewall to turn off I never had any luck with GPUPDATE. Does somebody know this for sure?
0
 
LVL 1

Assisted Solution

by:paulms53
paulms53 earned 332 total points
ID: 33606567
you can use psexec to execute the command, for multiple workstations, i recommend doing the following:

1. run net view
2. copy and paste all computer names (without \\) to a txt file (call it clients.txt, make sure to filter out workstations in the OU you want this to affect)
3. psexec @file:c:\clients.txt gpupdate /force
0
 

Author Comment

by:afflik1923
ID: 33712480
Whoops. That was meant to be points I was awarding. don't get that as it had gradings

right how can I clean this up?
0
 

Author Comment

by:afflik1923
ID: 33712481
object
0
 

Author Comment

by:afflik1923
ID: 33712485
errr, somthing weird is going on. when I try and award points it posts an objection. I'm confused?
0
 
LVL 27

Expert Comment

by:davorin
ID: 33712650
EE has some problems with accepting more answers with splitting points lately.
0
 

Author Comment

by:afflik1923
ID: 33712655
what should I do?
0
 
LVL 27

Expert Comment

by:davorin
ID: 33712692
You already posted request for attention. I hope everything will be closed correctly in 4 days -  automaticy. And I hope the problem will be corrected soon.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question