We help IT Professionals succeed at work.

Add a firewall rule to Group Policy for SBS Domain

Milkybar-kid
Milkybar-kid asked
on
I want to add a Program firewall inbound rule for all clients on an SBS2011 Domain.
I have added the rule through Group Policy Management Editor at the following location.
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound rules
I've linked it to the SBSComputers Container
I've run GPUpdate /force on the clients and logged out and back on three times (or more!) but it doesn't seem to be applying the policy when I check with GPResult /s /v it doesn't show the policy I created being applied.
I'm not sure if I have created and linked this in the right place. Any guidance much appreceiated.
Comment
Watch Question

Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
Technical Architect - HA/Compute/Storage
Commented:
Create a Machine level GPO. Disable the Users section.

Set up your settings under the Adv. Firewall section.

Note that we also add RDP, Remote Event Log, and Remote Volume Management to that GPO.

Since the GPO is machine level a reboot is required after a GPUpdate /Force.

Philip

Author

Commented:
Thanks Philip, The reboot seems to have resolved it. Aditionally I discovered that some of the machines that were not updating were 64 bit and so I needed to add a second rule with (x86) in the program files path.
Incidentally how do you disable the user section? I don't seem to be able to find any switches to do this.
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
disable the user section? what do you mean by user section? for what?
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
In GPMC right click on the GPO and Properties. Look down a bit and you will see check boxes to disable User and Computer sections of the GPO.

We disable User components for machine related GPOs and Machine components for User related GPOs. This is a GPO best practice.

Philip