lacroix_al
asked on
2008 GPO
Hi,
I have a 2003 domain running AD and using GPOs
In this domain I have 2 2008 servers and one Vista machine, 600 XPP
when I apply the GPO to the 2008 servers and the vista machine I lose access.
no RDP, ping or any connection inbound from the network.
the machine is able to go out anywhere it wants (network, internet)
the gpo has a setting for the firewall service to be disabled as well as the MPSSVC service disabled.
what setting in this GPO could cause these machines to block incoming traffic but not cause the XPP machines to have the same issue.
I would post the GPO but it has private info in it.
thanks
Al
I have a 2003 domain running AD and using GPOs
In this domain I have 2 2008 servers and one Vista machine, 600 XPP
when I apply the GPO to the 2008 servers and the vista machine I lose access.
no RDP, ping or any connection inbound from the network.
the machine is able to go out anywhere it wants (network, internet)
the gpo has a setting for the firewall service to be disabled as well as the MPSSVC service disabled.
what setting in this GPO could cause these machines to block incoming traffic but not cause the XPP machines to have the same issue.
I would post the GPO but it has private info in it.
thanks
Al
I would still look closely at firewall settings. Since vista/2008/7 have 3 different zones by default they could be reverting to a zone that is NOT disabled in the GP.
ASKER
sonic4269:
Thank you for the repy
I did exactly as you said above.
it does feel like a firewall issue to me as well
what are the three zones you are talking about for vista/2008/7?
I think I may only be controlling one zone with this GPO.
you are correct on the functionality level still being at 2003.
Thank you for the repy
I did exactly as you said above.
it does feel like a firewall issue to me as well
what are the three zones you are talking about for vista/2008/7?
I think I may only be controlling one zone with this GPO.
you are correct on the functionality level still being at 2003.
You know how when you first setup a machine it ask for "Home, Work, or Public location"? this helps determine what services and firewall rules are applied. In a 2008 domain you can control these different zones independently. So a laptop at the office would have different rules applied then when it is connected to a home network for instance. Your GPO may be switching to a different zone.
http://trycatch.be/blogs/roggenk/archive/2008/01/28/network-locations-in-windows-vista-amp-windows-server-2008.aspx
http://trycatch.be/blogs/roggenk/archive/2008/01/28/network-locations-in-windows-vista-amp-windows-server-2008.aspx
I know our domain is 2003 function as well with firewall turned off in our default domain policy. Our windows 7 clients have the firewall completely off as well, but depending on how you have set the firewall to be OFF it could be different.
Even in a 2003 domain you should still see different profiles for the firewall. "domain and Standard" i think.
Even in a 2003 domain you should still see different profiles for the firewall. "domain and Standard" i think.
ASKER
to turn off the firewall, In the GPO under computer configuration\windows settings\security settings\system services\windows firewall (startup mode: disabled) should I do something else?
how did you do it?
how did you do it?
We have it turned off under Computer/administrative templates/network/network connections/windowsfirewal
ASKER
I just checked, I have a domain and standard profile folder under windows firewall.
inside of that i have the Protect all network connections is disabled.
Any other thoughts
inside of that i have the Protect all network connections is disabled.
Any other thoughts
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok
new discovery
if I start the windows firewall service I can then gain access to the server through RDP.
what are your thoughts on that?
new discovery
if I start the windows firewall service I can then gain access to the server through RDP.
what are your thoughts on that?
That's what I expected.
Disabling the firewall service is unsupported by Microsoft.
You need to re-enable it in your group policy and use Computer/administrative templates/network/network connections/windowsfirewal
I think if you where on a 2008 domain you would be able to disable the service in GP since it knows what you are trying to accomplish. I know if you do it on the local machine you will have the same results though.
Disabling the firewall service is unsupported by Microsoft.
You need to re-enable it in your group policy and use Computer/administrative templates/network/network connections/windowsfirewal
I think if you where on a 2008 domain you would be able to disable the service in GP since it knows what you are trying to accomplish. I know if you do it on the local machine you will have the same results though.
ASKER
Yes I had both of them disabled.
At the command prompt on a machine with the policy applied type "gpresult" and note any policies that are being applied and the order. Make sure no rouge policy's are being applied that you don't want.
In the Group Policy Management console click the settings tab on each policy being applied and go through each item one at a time to verify that it could not be causing the issue.
This way you are seeing every item being applied and can hopefully rule out which one is causing this.
Since it's not doing it to the XP machines it could be a new policy for vista/2008. Have you upgraded the function level of your domain to 2008 yet? (i would guess no since you said it's a 2003 domain)