Solved

How to disable the group policies that force Windows Firewall ON.

Posted on 2013-01-15
10
255 Views
Last Modified: 2014-02-02
I followed instructions in this thread:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21995354.html

"Server Management Console > Advanced Management > Group Policy I need to stop the group policies from forcing Windows Firewall on.

Management > Forest: YourDomain.local > Domains > YourDomain.local > Group Policy Objects.

...right click > GPO Status > All Settings Disabled.  

You must then force the GP's to refresh on each workstation... by opening a command prompt on the server, and entering this:

C:\>gpupdate /force

You'll be prompted to log off, which you should do, and then any user that is currently logged into a workstation must log out and back in for the settings to take effect."


Unfortunately, nothing has changed.  Can anyone tell me what I have done wrong?
Thanks
0
Comment
Question by:nowthenee
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:ded_ch
ID: 38781061
You might want to start figuring out which exact group policy applies the settings to disable the firewall to your clients.

You can do this by running the "rsop.msc" utility on one of the affected machines.
You can either run it through the "run" command in start menu, type it in search in the windows 7 start menu or run it from a command prompt.

Once ran it will display all policy settings which are applied to the machine.
Navigate to the Firewall settings and see if the setting is applied. If it is, it will display the name of the group policy object next to the setting.

Now make sure you disabled the setting in the correct GPO.

Hope this helps.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 38781078
Q: Do you want the firewall off for the machines in this OU?
OR
Do you want the firewall to be able to be turned off by an administrative user  machines in this OU?
0
 
LVL 1

Author Comment

by:nowthenee
ID: 38790318
Sorry for the delay in replying.
I ran rsop.msc and navigated to here:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
In the Domain Profile and the Standard Profile it had:
Windows Firewall: Protect all network connections      Enabled      Small Business Server Windows Firewall
There is an error registered on the Computer Configuration Properties. It says that the "Group Policy Infrastruture" has Failed.  "The specified domain either does no exist or could not be contacted. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available."

I did disable the "Small Business Server Windows Firewall."
What do you think the error message signifies.

ve3ofa, I do not want to force the firewall off; I just want to give control into the hands of the user so that they can turn the firewall on and off.
0
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 167 total points
ID: 38870059
Is this error on all machines or just one machine?

on the client:

Click Start, click Run, type regedit, and then click OK.
Expand the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Right-click Winlogon, point to New, and then click DWORD Value.
To name the new entry, type GpNetworkStartTimeoutPolicyValue, and then press ENTER.
Right-click GpNetworkStartTimeoutPolicyValue, and then click Modify.
Under Base, click Decimal.
In the Value data box, type 60, and then click OK.
Exit Registry Editor, and then restart the computer.
If the Group Policy startup script does not run, increase the value of the GpNetworkStartTimeoutPolicyValue registry entry.

---
via group policy
Creating a Group Policy network start timeout policy
The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600.

http://support.microsoft.com/kb/840669
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 167 total points
ID: 38871111
By default, SBS will always try to enable the Windows Firewall on workstations unless you've tinkered with the default GPO's.

Which version of SBS are you running?   Knowing that would help to advise you properly.

Jeff
TechSoEasy
0
 
LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 166 total points
ID: 38872924
This error "The specified domain either does no exist or could not be contacted. Note:" tells me that either something is wrong with your domain or with the client's membership to the domain.

Hopefully it is just with the client so I would remove the client from the domain and then add it again either with a different name or after deleting the computer account from ADUC.

If there is a domain membership issue you can change the policy all you want and it will not reach the client.  

If you are seeing this on more than one client you may have an issue with the domain, but try rejoining one computer to see if it fixes the issue before you start digging into possible domain wide issues.

eb
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 38878109
Ah, I missed that comment about the domain cannot be contacted...

This is usually a DNS problem.  

Please post a COMPLETE IPCONFIG /ALL from both the server and the workstation.

Jeff
TechSoEasy
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38880650
good point Jeff, I forgot about DNS issues
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now