Group Policy affects Allowed Apps in Windows Firewall / stops file sharing in one workstation

Fred Marshall
Fred Marshall used Ask the Experts™
on
I have a workstation domain-joined that has a Windows unshared C: drive and a shared D: drive.

The D: drive isn't reachable by permissioned group members.

I find that the Windows firewall is blocking access.
I find that there's a Domain enforced rule in the firewall but I can't figure out what is affected.

Here is all that I can see:
Allowed apps
How to know where this comes from in better details than this?
I've reviewed the few GPOs and nothing pops out as obvious.
Surely nothing that I've done!
Other workstations don't seem to have this same thing at all.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
NoahHardware Tester and Debugger

Commented:
Hi there! :)

I think you also need to review the firewall advanced rules for file sharing. You mar refer to the following link on how to allow the connections.

Reference: https://www.hammer-software.com/how-to-enable-file-and-printer-sharing-through-the-windows-firewall-with-advanced-security-using-group-policy/

1.png

Author

Commented:
Noah:  Thank you!  I've been setting special File and Printer Sharing Firewall rules to accomodate multiple subnet sharing so I'm pretty familiar with that part.  And, I have reviewed them.  They look OK.

What I don't know is where to find the apparent GPO(?) that's setting this one computer in Allow Apps.  Where to look for that GPO?  I can't find one in AD that looks at all likely.  I've not set any firewall GPOs (yet).
Hardware Tester and Debugger
Commented:
I see.. How about looking here?

Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754359(v=ws.10)?redirectedfrom=MSDN

n the navigation pane, open the following folders: Local Computer Policy, User Configuration, Administrative Templates, Windows Components, and Network Sharing.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
Noah,

Thank you again!  I'm afraid that setting isn't what's doing it.... it's not configured.  Presumably if it were set by Group Policy then that would show differently.

Author

Commented:
I believe that I found it.  
gpedit.msc:
Local Computer Policy \ Computer Configuration \ Administrative Templates \ Network \ Network Connections \ Domain Profile \
Windows Defender Firewall: Allow inbound file and printer sharing exception

was *configured* and listed the allowed subnets (which were listed correctly).

Changing the setting to "Not configured", seems to have fixed the problem.
It also did away with the double-line entry in Allowed apps in Windows Defender Firewall for File and Printer Sharing.

I don't recall we set it in the first place but if the subnets were listed as they were, then we must have.
I don't understand why this setting would somehow limit the behavior and block what is expressly being allowed by it.

The fix survives a reboot which I believe means this didn't come from a GPO in AD.

Thanks for helping me sleuth this out!!

Author

Commented:
Not "exactly" the same setting but close enough to put me on the path to finding it!!
NoahHardware Tester and Debugger

Commented:
I see! Yes, that would be the one other possible location. Glad you found it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial