Solved

How to disable the group policies that force Windows Firewall ON.

Posted on 2013-01-15
10
256 Views
Last Modified: 2014-02-02
I followed instructions in this thread:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21995354.html

"Server Management Console > Advanced Management > Group Policy I need to stop the group policies from forcing Windows Firewall on.

Management > Forest: YourDomain.local > Domains > YourDomain.local > Group Policy Objects.

...right click > GPO Status > All Settings Disabled.  

You must then force the GP's to refresh on each workstation... by opening a command prompt on the server, and entering this:

C:\>gpupdate /force

You'll be prompted to log off, which you should do, and then any user that is currently logged into a workstation must log out and back in for the settings to take effect."


Unfortunately, nothing has changed.  Can anyone tell me what I have done wrong?
Thanks
0
Comment
Question by:nowthenee
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:ded_ch
ID: 38781061
You might want to start figuring out which exact group policy applies the settings to disable the firewall to your clients.

You can do this by running the "rsop.msc" utility on one of the affected machines.
You can either run it through the "run" command in start menu, type it in search in the windows 7 start menu or run it from a command prompt.

Once ran it will display all policy settings which are applied to the machine.
Navigate to the Firewall settings and see if the setting is applied. If it is, it will display the name of the group policy object next to the setting.

Now make sure you disabled the setting in the correct GPO.

Hope this helps.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 38781078
Q: Do you want the firewall off for the machines in this OU?
OR
Do you want the firewall to be able to be turned off by an administrative user  machines in this OU?
0
 
LVL 1

Author Comment

by:nowthenee
ID: 38790318
Sorry for the delay in replying.
I ran rsop.msc and navigated to here:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
In the Domain Profile and the Standard Profile it had:
Windows Firewall: Protect all network connections      Enabled      Small Business Server Windows Firewall
There is an error registered on the Computer Configuration Properties. It says that the "Group Policy Infrastruture" has Failed.  "The specified domain either does no exist or could not be contacted. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available."

I did disable the "Small Business Server Windows Firewall."
What do you think the error message signifies.

ve3ofa, I do not want to force the firewall off; I just want to give control into the hands of the user so that they can turn the firewall on and off.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 167 total points
ID: 38870059
Is this error on all machines or just one machine?

on the client:

Click Start, click Run, type regedit, and then click OK.
Expand the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Right-click Winlogon, point to New, and then click DWORD Value.
To name the new entry, type GpNetworkStartTimeoutPolicyValue, and then press ENTER.
Right-click GpNetworkStartTimeoutPolicyValue, and then click Modify.
Under Base, click Decimal.
In the Value data box, type 60, and then click OK.
Exit Registry Editor, and then restart the computer.
If the Group Policy startup script does not run, increase the value of the GpNetworkStartTimeoutPolicyValue registry entry.

---
via group policy
Creating a Group Policy network start timeout policy
The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600.

http://support.microsoft.com/kb/840669
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 167 total points
ID: 38871111
By default, SBS will always try to enable the Windows Firewall on workstations unless you've tinkered with the default GPO's.

Which version of SBS are you running?   Knowing that would help to advise you properly.

Jeff
TechSoEasy
0
 
LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 166 total points
ID: 38872924
This error "The specified domain either does no exist or could not be contacted. Note:" tells me that either something is wrong with your domain or with the client's membership to the domain.

Hopefully it is just with the client so I would remove the client from the domain and then add it again either with a different name or after deleting the computer account from ADUC.

If there is a domain membership issue you can change the policy all you want and it will not reach the client.  

If you are seeing this on more than one client you may have an issue with the domain, but try rejoining one computer to see if it fixes the issue before you start digging into possible domain wide issues.

eb
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 38878109
Ah, I missed that comment about the domain cannot be contacted...

This is usually a DNS problem.  

Please post a COMPLETE IPCONFIG /ALL from both the server and the workstation.

Jeff
TechSoEasy
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38880650
good point Jeff, I forgot about DNS issues
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADMT Intra Forest migration questions 7 169
SBS 2008 DC DIAG Missing AAAA record at DNS server : 5 49
SBS 2007 remove AD ? 10 60
sccm importing drivers 4 22
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now