Solved

How to disable the group policies that force Windows Firewall ON.

Posted on 2013-01-15
10
260 Views
Last Modified: 2014-02-02
I followed instructions in this thread:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21995354.html

"Server Management Console > Advanced Management > Group Policy I need to stop the group policies from forcing Windows Firewall on.

Management > Forest: YourDomain.local > Domains > YourDomain.local > Group Policy Objects.

...right click > GPO Status > All Settings Disabled.  

You must then force the GP's to refresh on each workstation... by opening a command prompt on the server, and entering this:

C:\>gpupdate /force

You'll be prompted to log off, which you should do, and then any user that is currently logged into a workstation must log out and back in for the settings to take effect."


Unfortunately, nothing has changed.  Can anyone tell me what I have done wrong?
Thanks
0
Comment
Question by:nowthenee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 7

Expert Comment

by:ded_ch
ID: 38781061
You might want to start figuring out which exact group policy applies the settings to disable the firewall to your clients.

You can do this by running the "rsop.msc" utility on one of the affected machines.
You can either run it through the "run" command in start menu, type it in search in the windows 7 start menu or run it from a command prompt.

Once ran it will display all policy settings which are applied to the machine.
Navigate to the Firewall settings and see if the setting is applied. If it is, it will display the name of the group policy object next to the setting.

Now make sure you disabled the setting in the correct GPO.

Hope this helps.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 38781078
Q: Do you want the firewall off for the machines in this OU?
OR
Do you want the firewall to be able to be turned off by an administrative user  machines in this OU?
0
 
LVL 1

Author Comment

by:nowthenee
ID: 38790318
Sorry for the delay in replying.
I ran rsop.msc and navigated to here:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
In the Domain Profile and the Standard Profile it had:
Windows Firewall: Protect all network connections      Enabled      Small Business Server Windows Firewall
There is an error registered on the Computer Configuration Properties. It says that the "Group Policy Infrastruture" has Failed.  "The specified domain either does no exist or could not be contacted. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available."

I did disable the "Small Business Server Windows Firewall."
What do you think the error message signifies.

ve3ofa, I do not want to force the firewall off; I just want to give control into the hands of the user so that they can turn the firewall on and off.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 167 total points
ID: 38870059
Is this error on all machines or just one machine?

on the client:

Click Start, click Run, type regedit, and then click OK.
Expand the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Right-click Winlogon, point to New, and then click DWORD Value.
To name the new entry, type GpNetworkStartTimeoutPolicyValue, and then press ENTER.
Right-click GpNetworkStartTimeoutPolicyValue, and then click Modify.
Under Base, click Decimal.
In the Value data box, type 60, and then click OK.
Exit Registry Editor, and then restart the computer.
If the Group Policy startup script does not run, increase the value of the GpNetworkStartTimeoutPolicyValue registry entry.

---
via group policy
Creating a Group Policy network start timeout policy
The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600.

http://support.microsoft.com/kb/840669
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 167 total points
ID: 38871111
By default, SBS will always try to enable the Windows Firewall on workstations unless you've tinkered with the default GPO's.

Which version of SBS are you running?   Knowing that would help to advise you properly.

Jeff
TechSoEasy
0
 
LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 166 total points
ID: 38872924
This error "The specified domain either does no exist or could not be contacted. Note:" tells me that either something is wrong with your domain or with the client's membership to the domain.

Hopefully it is just with the client so I would remove the client from the domain and then add it again either with a different name or after deleting the computer account from ADUC.

If there is a domain membership issue you can change the policy all you want and it will not reach the client.  

If you are seeing this on more than one client you may have an issue with the domain, but try rejoining one computer to see if it fixes the issue before you start digging into possible domain wide issues.

eb
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 38878109
Ah, I missed that comment about the domain cannot be contacted...

This is usually a DNS problem.  

Please post a COMPLETE IPCONFIG /ALL from both the server and the workstation.

Jeff
TechSoEasy
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38880650
good point Jeff, I forgot about DNS issues
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question