Solved

How to disable the group policies that force Windows Firewall ON.

Posted on 2013-01-15
10
253 Views
Last Modified: 2014-02-02
I followed instructions in this thread:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21995354.html

"Server Management Console > Advanced Management > Group Policy I need to stop the group policies from forcing Windows Firewall on.

Management > Forest: YourDomain.local > Domains > YourDomain.local > Group Policy Objects.

...right click > GPO Status > All Settings Disabled.  

You must then force the GP's to refresh on each workstation... by opening a command prompt on the server, and entering this:

C:\>gpupdate /force

You'll be prompted to log off, which you should do, and then any user that is currently logged into a workstation must log out and back in for the settings to take effect."


Unfortunately, nothing has changed.  Can anyone tell me what I have done wrong?
Thanks
0
Comment
Question by:nowthenee
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:ded_ch
Comment Utility
You might want to start figuring out which exact group policy applies the settings to disable the firewall to your clients.

You can do this by running the "rsop.msc" utility on one of the affected machines.
You can either run it through the "run" command in start menu, type it in search in the windows 7 start menu or run it from a command prompt.

Once ran it will display all policy settings which are applied to the machine.
Navigate to the Firewall settings and see if the setting is applied. If it is, it will display the name of the group policy object next to the setting.

Now make sure you disabled the setting in the correct GPO.

Hope this helps.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
Q: Do you want the firewall off for the machines in this OU?
OR
Do you want the firewall to be able to be turned off by an administrative user  machines in this OU?
0
 
LVL 1

Author Comment

by:nowthenee
Comment Utility
Sorry for the delay in replying.
I ran rsop.msc and navigated to here:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
In the Domain Profile and the Standard Profile it had:
Windows Firewall: Protect all network connections      Enabled      Small Business Server Windows Firewall
There is an error registered on the Computer Configuration Properties. It says that the "Group Policy Infrastruture" has Failed.  "The specified domain either does no exist or could not be contacted. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available."

I did disable the "Small Business Server Windows Firewall."
What do you think the error message signifies.

ve3ofa, I do not want to force the firewall off; I just want to give control into the hands of the user so that they can turn the firewall on and off.
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 167 total points
Comment Utility
Is this error on all machines or just one machine?

on the client:

Click Start, click Run, type regedit, and then click OK.
Expand the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Right-click Winlogon, point to New, and then click DWORD Value.
To name the new entry, type GpNetworkStartTimeoutPolicyValue, and then press ENTER.
Right-click GpNetworkStartTimeoutPolicyValue, and then click Modify.
Under Base, click Decimal.
In the Value data box, type 60, and then click OK.
Exit Registry Editor, and then restart the computer.
If the Group Policy startup script does not run, increase the value of the GpNetworkStartTimeoutPolicyValue registry entry.

---
via group policy
Creating a Group Policy network start timeout policy
The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600.

http://support.microsoft.com/kb/840669
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 167 total points
Comment Utility
By default, SBS will always try to enable the Windows Firewall on workstations unless you've tinkered with the default GPO's.

Which version of SBS are you running?   Knowing that would help to advise you properly.

Jeff
TechSoEasy
0
 
LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 166 total points
Comment Utility
This error "The specified domain either does no exist or could not be contacted. Note:" tells me that either something is wrong with your domain or with the client's membership to the domain.

Hopefully it is just with the client so I would remove the client from the domain and then add it again either with a different name or after deleting the computer account from ADUC.

If there is a domain membership issue you can change the policy all you want and it will not reach the client.  

If you are seeing this on more than one client you may have an issue with the domain, but try rejoining one computer to see if it fixes the issue before you start digging into possible domain wide issues.

eb
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Ah, I missed that comment about the domain cannot be contacted...

This is usually a DNS problem.  

Please post a COMPLETE IPCONFIG /ALL from both the server and the workstation.

Jeff
TechSoEasy
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
good point Jeff, I forgot about DNS issues
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now