Solved

Windows 7 SP 1 Remote Administration blocked

Posted on 2011-03-24
35
1,530 Views
Last Modified: 2012-05-11
After deploying Windows 7 SP1, my VBScripts fail when I try to gather data and remotely administer our domain client machines.  The scripts worked fine before SP1, but now I get error indicating the machine can't be reached.

I checked the firewall settings on the Windows 7 SP1 clients, and Remote Desktop and Remote Administration is "Blocked" and these services are specifically "Allowed" by our GPO settings.

- How can I reverse this - I tried uninstalling SP1 but the settings remained?
- How can I bypass this or modify scripts so that I can do simple remote WMI queries, etc?

Thanks....

DavidS
0
Comment
Question by:DWStovall
  • 19
  • 13
  • 2
  • +1
35 Comments
 
LVL 11

Expert Comment

by:remixedcat
ID: 35212072
start>run>services.msc>check to see if proper services are enabled for this.
0
 

Author Comment

by:DWStovall
ID: 35217776
@ remixedcat:

Thanks for the response.  Attached is a partial screen shot of a typical list of services on one of our Windows 7 machines.

We have a GPO in place for all domain client machines that enables "Remote Desktop."  We've been running the GPO effectively for the past 3 years.  It enables us to RDP into client machines from our Help Desk workers.  I have also used a number of VBScrips to remotely connect to and gather data from the clients throughout the network.  These scripts have also worked perfectly for a number of years.  I know there is nothing wrong/changed with either the GPOs or the VBScripts.

We installed SP1 to Windows7, and since that time, we cannot RDP into domain client machines nor do my scripts work on these machines.  They (both RDP and Scripts) still work fine on XP machines, just not on the Windows 7 boxes.

When I check the local RDP Configuration Settings, RDP is enabled - See the attachment "LocalRDPSettings".

Finally, the attachment "LocalFirewallSettings" shows the "Remote Assistance" and "Remote Desktop" inbound rules.  The item highlighted in green is the inbound rule created by our GPO to allow inbound requests for RDP.  The item highlighted in yellow overrides the one in green because it's a "BLOCK".  This is created somehow with the installation of SP1.  I suspect that the items highlighted in blue are also created by SP1.  When I click on either the yellow or blue items, the properties give the same popup indicating "This rule has been applied by the system administrator and cannot be modified."  Only, we don't have any GPOs doing this - it all seems to have been done with SP1.

I hope all of this makes sense.

DavidS


RemoteServices.gif
LocalRDPSettings.gif
LocalFirewallSettings.gif
0
 
LVL 11

Accepted Solution

by:
remixedcat earned 500 total points
ID: 35217826
There are many issues being reported with SP1 and many high level techs are recommending to NOT install it and try to roll back if possible. I will research this further, as I was planning on upgrading my server 2008 setup to server 2008 R2 and was debating installing the service pack or not. This is more evidence to present that so I appreciate the screenshots as well as your details.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218069
FOUND A TEMPORARY SOLUTION!!!

Create a folder anywhere on your computer.  I did C:\RDP

Find a computer with Windows 7, without SP1 and navigate to their C:\Windows\System32\ and copy mstsc.exe, and mstscax.dll and paste them into the C:\RDP folder that you have created.

Then on the Non-SP1 machine, go to C:\Windows\System32\en-US and copy mstsc.exe.mui, and mstscax.dll.mui.

Then create a subdirectory in your C:\RDP folder called en-US and paste the 2 .mui files in there.

After that, run the MSTSC.exe file, log into your terminal server, and remote away!!!
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218147
what I've gathered is other hotfixes that remained after sp1 was rolled back are interfering.

try deleteing the GPO and start it over. service packs are known to reset windows settings as well.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218227
also firewall could have gotten reset as well with the install of sp1
0
 

Author Comment

by:DWStovall
ID: 35218447
Thanks for all the feedback.  I am reluctant to go about hacking things.  

It just seems so crazy for MS to implment something so draconian to keep legitimate administrators from doing their job, or is there some other piece of the puzzle that we aren't seeing - like new tools aimed at doing what I need to do - remotely administer domain client computers.

Is anyone experiencing what I am?  Why isn't this a bigger deal than it seems to be?  Were we just one of the stupids ones for pushing out this SP so soon?

Questions abound!!!
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218620
have you tried the firewall settings? I know that I had to reset some of those back when i installed 2008 SP2.

this page is also helpful it's not just you:
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/be7f31f9-fe09-4255-bc66-7b8f8a1c1e00

0
 

Author Comment

by:DWStovall
ID: 35218664
All of the firewall settings indicated in yellow and blue (on the previous attachments) cannot be deleted.  I can do to the firewall rules and right click and delete most of them - however, the ones mentioned don't provide that option.  I haven't tried using the NETSH command line thingy...perhaps thats the answer.  Right now, I'm examining the registry to see if there's something to lend a clue.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218706
ok so all firewall rules are the same as before SP1 right?

try the command line thing and see if it helps. I'm having connection issues at the moment so I'll try to research this when I can. This concerns me as well and I'm reluctant to upgrade to SP1 if I can't find a fix and if there is no solutions here than I will tell others.

This is helping me out as well! and Thank you as well.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218723
as for the VBS scripts MS might have done something with SP1 as well ...
0
 

Author Comment

by:DWStovall
ID: 35218727
No, as far as I know, these firewall rules were no here prior to SP1 - I believe they were created by the installation of SP1.  However, I don't have any clean Windows 7 boxes to test that theory.
0
 

Author Comment

by:DWStovall
ID: 35218815
Yes...the SP1 change modified/created the Firewall items marked in blue which affect "Remote Administration" which affects my ability to use VBScripts to query WMI on the remote systems.

0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218824
ok are you able to  look at and setup the clients firewall rules locally to look at the firewall rules.... without the GPO???
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218888
this may be close:

Windows 7 actually uses a different GPO setting for its firewall.

Edit the group policy from a Server2008/Vista/Windows 7 computer. You cannot edit this group policy from server 2003 or XP. If you do not have a 2008 server, use a Vista or 7 machine. You can install Group Policy Management Console on Windows 7 and Vista by installing RSAT from the Microsoft download center then adding GPMC through Programs and Features.

Once you have the policy open, you'll find the correct configuration under Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security. Create a new inbound rule using the predefined File and Printer Sharing.
0
 

Author Comment

by:DWStovall
ID: 35218953
I can go into Control Panel on a Windows7 machine, open Firewall, open Advanced, and I can create new inbound rules - there's even a drop down box listing the services and such that I can control; however, Remote Desktop and Remote Administration is not amongst those listed.  I can't change them.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35218996
wow this is bad when you can't even control those locally.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 11

Expert Comment

by:remixedcat
ID: 35219103
I just found out that the RSAT tool isn;t compatible with win7SP1.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35219146
look at the registry settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
0
 

Author Comment

by:DWStovall
ID: 35219239
Yes indeed, the registry link you provided takes me to the Firewall inbound exceptions that we created with our GPO - the ones we've been using for years to open a path on client machines so that we can use Remote Desktop to manage client machines.  

The attached image shows the settings created by our GPO, however, there are no registry settings in there for the Firewall configurations created by the SP1.
LocalFirewallRegSettings.gif
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35219256
most of the ideas I'm being pointed to are things from redoing the GPO on the win7 machines, to using VNC or another app for remote connections. it seems to be a SP1 problem.
0
 

Author Comment

by:DWStovall
ID: 35219738
Indeed, SP1 is the issue.  My next direction of focus will be aimed at the Group Policies to see if MS created a new set of configurable policies items intended to reverse these forced (default) configurations to block RDP and Remote Admin...

Have a great weekend...
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35219802
Good luck! ;-)
0
 

Author Comment

by:DWStovall
ID: 35219814
@ remixedcat:  Thank you for your help and ideas today - I do sincerely appreciate you.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35219834
You are most welcome.
0
 
LVL 30

Expert Comment

by:ded9
ID: 35223312
Run this command in elevated prompt  command prompt

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose


After running the command restart the computer.

If the above does not work then run subinacl.

Install subinacl and run the reset.cmd script.Check this website to get the script and link of subinacl.

http://blogs.msdn.com/b/astebner/archive/2006/09/04/739820.aspx


You issue will be resolved by just running the secedit command.



Ded9
0
 

Author Comment

by:DWStovall
ID: 35261383
@ ded9:

Can you provide some background on what this command is doing and why I should be doing it?

I'm not doubting your wisdom/knowledge on the subject, I'm just certain that my boss would frown on me making changes that I don't understand.

Please provide so reasoning on the command.

Thank you...
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35261442
this may give more insight as to his reasoning:
http://support.microsoft.com/kb/313222
0
 
LVL 30

Expert Comment

by:ded9
ID: 35261883
secedit will reset your security setting.

Subinacl will make sure there is not block in the registry.


Ded9
0
 

Assisted Solution

by:DWStovall
DWStovall earned 0 total points
ID: 35360119
I apologize for the delay.  After more focus on the issue, we narrowed the problem down to security settings invoked by SP1 to Windows 7.

Solution:  We've had firewall, remote desktop, and remote administration settings configured for years through Group Policy.  When we brought Windows 7 machines onto the network, we didn't make any changes to the settings in our existing GPOs.  The existing settings (those meant for XP and below) continued to work for the initial release of Windows 7; however, SP1 focused on "Security" and forced Windows 7 machines to look in a different location for firewall settings relating to remote administration and remote desktop.

Check it out...when we started from scratch and looked up how to configure remote desktop via GPO for Windows 7, we got a completely different section of the policy that relates to firewall-remote desktop.

When we reconfigured the GPOs and rebooted the Windows 7 machines, everything began working as advertised.  These settings also affected our ability to push out administrative changes for our Symantec client deployment.  

We are now in the process of reviewing all GPO settings per newer Windows 7 requirements - there are a few differences, and the newer security settings for Windows 7 SP1 (released during the March 2011Patch Tuesday) do make remote administration a bit more difficult.

Awarding points for effort.

Thank you....
0
 

Author Comment

by:DWStovall
ID: 35360122
I object to simply closing the question.  I would like to award the points to those who participated - they put in a lot of effort, particularly remixedcat, and I didn't want that effort to go unnoticed.
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35360145
Glad to help
0
 
LVL 8

Expert Comment

by:SeaSenor
ID: 35383839
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

here is the RSAT for win7 with sp1

sure, i'll take a couple points  lol      :D  
0
 

Author Closing Comment

by:DWStovall
ID: 35390708
Thank you remixedcat and ded9 for all your help...
0
 
LVL 11

Expert Comment

by:remixedcat
ID: 35390750
no problem-o ;-) glad to assist!!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now