Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

2008 GPO

Posted on 2011-04-27
12
Medium Priority
?
416 Views
Last Modified: 2012-05-11
Hi,
I have a 2003 domain running AD and using GPOs
In this domain I have 2 2008 servers and one Vista machine, 600 XPP
when I apply the GPO to the 2008 servers and the vista machine I lose access.
no RDP, ping or any connection inbound from the network.
the machine is able to go out anywhere it wants (network, internet)
the gpo has a setting for the firewall service to be disabled as well as the MPSSVC service disabled.

what setting in this GPO could cause these machines to block incoming traffic but not cause the XPP machines to have the same issue.
I would post the GPO but it has private info in it.

thanks
Al
0
Comment
Question by:lacroix_al
  • 7
  • 5
12 Comments
 
LVL 3

Expert Comment

by:sonic4269
ID: 35476650
I'm not sure but to find out this is what I would do to find out:

At the command prompt on a machine with the policy applied type "gpresult" and note any policies that are being applied and the order.  Make sure no rouge policy's are being applied that you don't want.

In the Group Policy Management console click the settings tab on each policy being applied and go through each item one at a time to verify that it could not be causing the issue.  

This way you are seeing every item being applied and can hopefully rule out which one is causing this.  

Since it's not doing it to the XP machines it could be a new policy for vista/2008.   Have you upgraded the function level of your domain to 2008 yet?   (i would guess no since you said it's a 2003 domain)
0
 
LVL 3

Expert Comment

by:sonic4269
ID: 35476687
I would still look closely at firewall settings. Since vista/2008/7 have 3 different zones by default they could be reverting to a zone that is NOT disabled in the GP.

0
 

Author Comment

by:lacroix_al
ID: 35476794
sonic4269:
Thank you for the repy
I did exactly as you said above.
it does feel like a firewall issue to me as well

what are the three zones you are talking about for vista/2008/7?
I think I may only be controlling one zone with this GPO.

you are correct on the functionality level still being at 2003.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
LVL 3

Expert Comment

by:sonic4269
ID: 35476840
You know how when you first setup a machine it ask for "Home, Work, or Public location"?  this helps determine what services and firewall rules are applied.   In a 2008 domain you can control these different zones independently.  So a laptop at the office would have different rules applied then when it is connected to a home network for instance.  Your GPO may be switching to a different zone.  

http://trycatch.be/blogs/roggenk/archive/2008/01/28/network-locations-in-windows-vista-amp-windows-server-2008.aspx
0
 
LVL 3

Expert Comment

by:sonic4269
ID: 35476912
I know our domain is 2003 function as well with firewall turned off in our default domain policy.  Our windows 7 clients have the firewall completely off as well,  but depending on how you have set the firewall to be OFF it could be different.    

Even in a 2003 domain you should still see different profiles for the firewall.   "domain and Standard" i think.    
0
 

Author Comment

by:lacroix_al
ID: 35477499
to turn off the firewall, In the GPO under computer configuration\windows settings\security settings\system services\windows firewall (startup mode: disabled) should I do something else?
how did you do it?
0
 
LVL 3

Expert Comment

by:sonic4269
ID: 35477956
We have it turned off under  Computer/administrative templates/network/network connections/windowsfirewall/Protect all network connections is disabled.
0
 

Author Comment

by:lacroix_al
ID: 35478680
I just checked, I have a domain and standard profile folder under windows firewall.
inside of that i have the Protect all network connections is disabled.

Any other thoughts
0
 
LVL 3

Accepted Solution

by:
sonic4269 earned 2000 total points
ID: 35479009
Try turning the firewall service back.    I know it makes no sense but I think that could cause it.    

If a virus was able to disable the firewall service it would allow an attacker into a system.   By blocking all traffic when the service is disabled it would prevent that.  (guessing here)
0
 

Author Comment

by:lacroix_al
ID: 35479014
ok
new discovery
if I start the windows firewall service I can then gain access to the server through RDP.
what are your thoughts on that?
0
 
LVL 3

Expert Comment

by:sonic4269
ID: 35479163
That's what I expected.  

Disabling the firewall service is unsupported by Microsoft.  

You need to re-enable it in your group policy and use Computer/administrative templates/network/network connections/windowsfirewall/Protect all network connections=disabled to turn the firewall off instead.

I think if you where on a 2008 domain you would be able to disable the service in GP since it knows what you are trying to accomplish.  I know if you do it on the local machine you will have the same results though.

0
 

Author Comment

by:lacroix_al
ID: 35479480
Yes I had both of them disabled.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question