Solved

How to disable the group policies that force Windows Firewall ON.

Posted on 2013-01-15
10
257 Views
Last Modified: 2014-02-02
I followed instructions in this thread:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21995354.html

"Server Management Console > Advanced Management > Group Policy I need to stop the group policies from forcing Windows Firewall on.

Management > Forest: YourDomain.local > Domains > YourDomain.local > Group Policy Objects.

...right click > GPO Status > All Settings Disabled.  

You must then force the GP's to refresh on each workstation... by opening a command prompt on the server, and entering this:

C:\>gpupdate /force

You'll be prompted to log off, which you should do, and then any user that is currently logged into a workstation must log out and back in for the settings to take effect."


Unfortunately, nothing has changed.  Can anyone tell me what I have done wrong?
Thanks
0
Comment
Question by:nowthenee
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:ded_ch
ID: 38781061
You might want to start figuring out which exact group policy applies the settings to disable the firewall to your clients.

You can do this by running the "rsop.msc" utility on one of the affected machines.
You can either run it through the "run" command in start menu, type it in search in the windows 7 start menu or run it from a command prompt.

Once ran it will display all policy settings which are applied to the machine.
Navigate to the Firewall settings and see if the setting is applied. If it is, it will display the name of the group policy object next to the setting.

Now make sure you disabled the setting in the correct GPO.

Hope this helps.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 38781078
Q: Do you want the firewall off for the machines in this OU?
OR
Do you want the firewall to be able to be turned off by an administrative user  machines in this OU?
0
 
LVL 1

Author Comment

by:nowthenee
ID: 38790318
Sorry for the delay in replying.
I ran rsop.msc and navigated to here:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
In the Domain Profile and the Standard Profile it had:
Windows Firewall: Protect all network connections      Enabled      Small Business Server Windows Firewall
There is an error registered on the Computer Configuration Properties. It says that the "Group Policy Infrastruture" has Failed.  "The specified domain either does no exist or could not be contacted. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available."

I did disable the "Small Business Server Windows Firewall."
What do you think the error message signifies.

ve3ofa, I do not want to force the firewall off; I just want to give control into the hands of the user so that they can turn the firewall on and off.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 167 total points
ID: 38870059
Is this error on all machines or just one machine?

on the client:

Click Start, click Run, type regedit, and then click OK.
Expand the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Right-click Winlogon, point to New, and then click DWORD Value.
To name the new entry, type GpNetworkStartTimeoutPolicyValue, and then press ENTER.
Right-click GpNetworkStartTimeoutPolicyValue, and then click Modify.
Under Base, click Decimal.
In the Value data box, type 60, and then click OK.
Exit Registry Editor, and then restart the computer.
If the Group Policy startup script does not run, increase the value of the GpNetworkStartTimeoutPolicyValue registry entry.

---
via group policy
Creating a Group Policy network start timeout policy
The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600.

http://support.microsoft.com/kb/840669
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 167 total points
ID: 38871111
By default, SBS will always try to enable the Windows Firewall on workstations unless you've tinkered with the default GPO's.

Which version of SBS are you running?   Knowing that would help to advise you properly.

Jeff
TechSoEasy
0
 
LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 166 total points
ID: 38872924
This error "The specified domain either does no exist or could not be contacted. Note:" tells me that either something is wrong with your domain or with the client's membership to the domain.

Hopefully it is just with the client so I would remove the client from the domain and then add it again either with a different name or after deleting the computer account from ADUC.

If there is a domain membership issue you can change the policy all you want and it will not reach the client.  

If you are seeing this on more than one client you may have an issue with the domain, but try rejoining one computer to see if it fixes the issue before you start digging into possible domain wide issues.

eb
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 38878109
Ah, I missed that comment about the domain cannot be contacted...

This is usually a DNS problem.  

Please post a COMPLETE IPCONFIG /ALL from both the server and the workstation.

Jeff
TechSoEasy
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38880650
good point Jeff, I forgot about DNS issues
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 20011 to Office 365 7 91
Errors  Migrating DHCP from SBS 2008 to Server 2012 r2 2 63
Questions about DHCP migration 5 81
AD backup 6 76
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question