Solved

Disabling local firewall from Active Directory

Posted on 2014-02-18
11
286 Views
Last Modified: 2014-03-07
Most of the users in the office have the windows FW enabled.  This is stopping me rolling out AV and other programes.  Can I disable this using AD so when then login to the domain the FW is off?
0
Comment
Question by:wannabecraig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 10

Expert Comment

by:Alex Green
ID: 39866965
Yes,

You can use group policy for this,

Computer Config > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile  > Windows Firewall: Protect all network connections = Disabled

That will disable windows firewall

Regards

Alex
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 39867042
Do I do this on the DC?  I can't see the Computer config module.
0
 
LVL 10

Expert Comment

by:Alex Green
ID: 39867044
When you log onto your DC, click start, administrative tools, group policy.

Create a new group policy, make the changes and then link that to the OU with your computers in.

Regards

Alex
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:wannabecraig
ID: 39867054
ok, there was an exisiting domain policy and I edited it, is that ok?

Also, I assume users need to log off and on again before it disables it?
0
 
LVL 10

Expert Comment

by:Alex Green
ID: 39867060
It should apply within the next 4 - 6 hours depending on the time group policy last replicated, however you could ask for a reboot which would apply it immediately.

Regards

Alex
0
 
LVL 37

Expert Comment

by:bbao
ID: 39867105
>> Can I disable this using AD so when then login to the domain the FW is off?

Simply applying Group Policy cannot implement disabling FW when logged on and enabling FW when logged off. There must be a domain based logon script to do that.

> > Also, I assume users need to log off and on again before it disables it?

Just want to confirm if "disabling FW when logged on and enabling FW when logged off" is what exactly the author wanted?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39867185
You won't find option to disable firewall at GPO path mentioned above

The correct path to turn off firewall is as below.

Computer configuration\Policies\Windows Settings\security settings\Windows firewall with advanced security\Windows firewall with advanced security -LDAP-------
Right click on above path and go to properties.
Here you need to turn off firewall state for domain profile, public profile and private Profile

Alternatively you can add .bat file in startup script section in GPO in computer configuration with below command

echo off
netsh advfirewall set allprofiles state off

startup script option can be found under Computer configuration\Policies\Windows Settings\scripts (Startup and Shutdown)\startup
You can copy .bat file in netlogon shared folder on domain controller.

Mahesh
0
 
LVL 10

Accepted Solution

by:
Alex Green earned 500 total points
ID: 39867187
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39867191
Also computers must be rebooted once to apply GPO and to disable firewall
0
 
LVL 10

Expert Comment

by:Alex Green
ID: 39867584
Not definately, you can just do a gpupdate /force or wait 4 hours (depending what is specified in the default domain policy)
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39867917
You can do gpupdate /force definitely if you use GPO settings to disable firewall

But if you use .bat file to disable firewall, then you must reboot the computer to run .bat file
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question