2008 GPO

I have a 2003 domain running AD and using GPOs
In this domain I have 2 2008 servers and one Vista machine, 600 XPP
when I apply the GPO to the 2008 servers and the vista machine I lose access.
no RDP, ping or any connection inbound from the network.
the machine is able to go out anywhere it wants (network, internet)
the gpo has a setting for the firewall service to be disabled as well as the MPSSVC service disabled.

what setting in this GPO could cause these machines to block incoming traffic but not cause the XPP machines to have the same issue.
I would post the GPO but it has private info in it.

Who is Participating?
sonic4269Connect With a Mentor Commented:
Try turning the firewall service back.    I know it makes no sense but I think that could cause it.    

If a virus was able to disable the firewall service it would allow an attacker into a system.   By blocking all traffic when the service is disabled it would prevent that.  (guessing here)
I'm not sure but to find out this is what I would do to find out:

At the command prompt on a machine with the policy applied type "gpresult" and note any policies that are being applied and the order.  Make sure no rouge policy's are being applied that you don't want.

In the Group Policy Management console click the settings tab on each policy being applied and go through each item one at a time to verify that it could not be causing the issue.  

This way you are seeing every item being applied and can hopefully rule out which one is causing this.  

Since it's not doing it to the XP machines it could be a new policy for vista/2008.   Have you upgraded the function level of your domain to 2008 yet?   (i would guess no since you said it's a 2003 domain)
I would still look closely at firewall settings. Since vista/2008/7 have 3 different zones by default they could be reverting to a zone that is NOT disabled in the GP.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

lacroix_alAuthor Commented:
Thank you for the repy
I did exactly as you said above.
it does feel like a firewall issue to me as well

what are the three zones you are talking about for vista/2008/7?
I think I may only be controlling one zone with this GPO.

you are correct on the functionality level still being at 2003.
You know how when you first setup a machine it ask for "Home, Work, or Public location"?  this helps determine what services and firewall rules are applied.   In a 2008 domain you can control these different zones independently.  So a laptop at the office would have different rules applied then when it is connected to a home network for instance.  Your GPO may be switching to a different zone.  

I know our domain is 2003 function as well with firewall turned off in our default domain policy.  Our windows 7 clients have the firewall completely off as well,  but depending on how you have set the firewall to be OFF it could be different.    

Even in a 2003 domain you should still see different profiles for the firewall.   "domain and Standard" i think.    
lacroix_alAuthor Commented:
to turn off the firewall, In the GPO under computer configuration\windows settings\security settings\system services\windows firewall (startup mode: disabled) should I do something else?
how did you do it?
We have it turned off under  Computer/administrative templates/network/network connections/windowsfirewall/Protect all network connections is disabled.
lacroix_alAuthor Commented:
I just checked, I have a domain and standard profile folder under windows firewall.
inside of that i have the Protect all network connections is disabled.

Any other thoughts
lacroix_alAuthor Commented:
new discovery
if I start the windows firewall service I can then gain access to the server through RDP.
what are your thoughts on that?
That's what I expected.  

Disabling the firewall service is unsupported by Microsoft.  

You need to re-enable it in your group policy and use Computer/administrative templates/network/network connections/windowsfirewall/Protect all network connections=disabled to turn the firewall off instead.

I think if you where on a 2008 domain you would be able to disable the service in GP since it knows what you are trying to accomplish.  I know if you do it on the local machine you will have the same results though.

lacroix_alAuthor Commented:
Yes I had both of them disabled.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.