Hi!
I have a 30 XP pro machine lab in a windows 2003 server domain.
For some classes it is necessary to change the workstation's firewall
settings, or even disable it completly, and then enable it for the following
class. Please correct me if I'm wrong, but I can't see a way of doing this on
the 2003 server through AD.
i was thinking about a script, but since they are unprivileged users, the
can't run it, right ?
Any help is welcome!
Thanks
Best regards.
David

this is a known problem....

http://windowsxp.mvps.org/sharedaccess.htm

tell me if this helps

--
Disclaimer: This info is given "as is".
If you do not like the content or attitude of my posts,
please put me on your ignore list or dont read my posts.

--
"david carvalho" <(E-Mail Removed)> wrote in message
news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
> Hi!
> I have a 30 XP pro machine lab in a windows 2003 server domain.
> For some classes it is necessary to change the workstation's firewall
> settings, or even disable it completly, and then enable it for the
> following
> class. Please correct me if I'm wrong, but I can't see a way of doing this
> on
> the 2003 server through AD.
> i was thinking about a script, but since they are unprivileged users, the
> can't run it, right ?
> Any help is welcome!
> Thanks
> Best regards.
> David

Hi ! thanks for the reply.
I tested a netsh firewall reset, without running sharedaccess.reg, and that
cleaned all my previous firewall rules.
The problem here is that I have already rules set up that i want to keep
after this class is over. I also didn't understand if this allows an
ordinary unprivileged domain user to disable and then enable previous
firewall settings.
Any idea ?
Thanks !
David

"John Jay Smith" wrote:

> this is a known problem....
>
> http://windowsxp.mvps.org/sharedaccess.htm
>
> tell me if this helps
>
> --
> Disclaimer: This info is given "as is".
> If you do not like the content or attitude of my posts,
> please put me on your ignore list or dont read my posts.
>
> --
> "david carvalho" <(E-Mail Removed)> wrote in message
> news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
> > Hi!
> > I have a 30 XP pro machine lab in a windows 2003 server domain.
> > For some classes it is necessary to change the workstation's firewall
> > settings, or even disable it completly, and then enable it for the
> > following
> > class. Please correct me if I'm wrong, but I can't see a way of doing this
> > on
> > the 2003 server through AD.
> > i was thinking about a script, but since they are unprivileged users, the
> > can't run it, right ?
> > Any help is welcome!
> > Thanks
> > Best regards.
> > David
>
>
>

You are right they need to be local administrators. I don't know of any easy
workaround for you but what I would look at is using Group Policy startup or
shutdown scripts which run in system context that you might be able to make
some use of. If the computers are shut down before classes change you could
try to have different Group Policy settings for what you need for the
various classes and then change the Group Policy before the new class and
run gpupdate on the domain controller and hopefully when the computers
startup again they will have the new Group Policy firewall settings or
possibly even try a logon script with gpupdate which offhand I can't
remember if that works for a regular user. You could have several Group
Policies configured for just the firewall settings and linked to the
container that the computers are in and enable only the one you want for the
new class. You can use rsop.msc on a XP Pro domain member to see the current
Group Policy settings for a user/computer and the GPO that is enforcing the
setting. --- Steve


"david carvalho" <(E-Mail Removed)> wrote in message
news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
> Hi!
> I have a 30 XP pro machine lab in a windows 2003 server domain.
> For some classes it is necessary to change the workstation's firewall
> settings, or even disable it completly, and then enable it for the
> following
> class. Please correct me if I'm wrong, but I can't see a way of doing this
> on
> the 2003 server through AD.
> i was thinking about a script, but since they are unprivileged users, the
> can't run it, right ?
> Any help is welcome!
> Thanks
> Best regards.
> David

Hi !
Thanks for the reply. I could use that, but the problem is that can't set
different policy groups on the workstations,because all of them may be used
in that class.
Also I can't do that for users, because my server has a trust relationship
to another server, and that one is doing authentication. I've found the
registry keys that enable/disable firewall settings for domain profile and
standard profile (don't know yet the difference). I will find some remote
registry editing tool, and i can do that from the server. Now, it's just a
matter of finding a tool like that!
thanks
David

"Steven L Umbach" wrote:

> You are right they need to be local administrators. I don't know of any easy
> workaround for you but what I would look at is using Group Policy startup or
> shutdown scripts which run in system context that you might be able to make
> some use of. If the computers are shut down before classes change you could
> try to have different Group Policy settings for what you need for the
> various classes and then change the Group Policy before the new class and
> run gpupdate on the domain controller and hopefully when the computers
> startup again they will have the new Group Policy firewall settings or
> possibly even try a logon script with gpupdate which offhand I can't
> remember if that works for a regular user. You could have several Group
> Policies configured for just the firewall settings and linked to the
> container that the computers are in and enable only the one you want for the
> new class. You can use rsop.msc on a XP Pro domain member to see the current
> Group Policy settings for a user/computer and the GPO that is enforcing the
> setting. --- Steve
>
>
> "david carvalho" <(E-Mail Removed)> wrote in message
> news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
> > Hi!
> > I have a 30 XP pro machine lab in a windows 2003 server domain.
> > For some classes it is necessary to change the workstation's firewall
> > settings, or even disable it completly, and then enable it for the
> > following
> > class. Please correct me if I'm wrong, but I can't see a way of doing this
> > on
> > the 2003 server through AD.
> > i was thinking about a script, but since they are unprivileged users, the
> > can't run it, right ?
> > Any help is welcome!
> > Thanks
> > Best regards.
> > David
>
>
>

As far as Group Policy I was proposing that you have one for each class that
had nothing but the Windows Firewall settings you want name Class1FW,
Class2FW, or such. Then you enable just the one you want before class and
run gpupdate on the dc as you can enable/disable a GPO without unlinking or
deleting it. Then when the computers start up for the new class they should
check the domain controller for Group Policy and apply the GPO that is
active for the FW settings.

As far as trusts between domains/forests that has nothing to do with Group
Policy. You manage what Group Policy applies to users by where the GPO is
applied and where the user/computer accounts are located as far as
containers/OUs. Of course you would need the ability to create and manage
Group Policies and the Active Directory objects that are used in your
classes [users/computers] The domain profile applies when the computer
detects that it is connected to the domain and the standard profile is used
when the computer does not such as for remote laptop users.

You can edit the registry remotely using your computer via regedit/file -
connect network registry assuming you have file and print sharing access to
the computers. Another possibility is you could the utility psexec from
SysInternals to run commands on remote computers that you have administrator
access to and file and print sharing connectivity. You could use it for
instance to run .reg files that could change the registry. Psexec has the
ability to run a command against a list of computers in a text file that
could help automate the process. --- Steve

http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/kb/310516 --- info on using .reg files

"david carvalho" <(E-Mail Removed)> wrote in message
news:FEE73450-D731-4835-827E-(E-Mail Removed)...
> Hi !
> Thanks for the reply. I could use that, but the problem is that can't set
> different policy groups on the workstations,because all of them may be
> used
> in that class.
> Also I can't do that for users, because my server has a trust relationship
> to another server, and that one is doing authentication. I've found the
> registry keys that enable/disable firewall settings for domain profile and
> standard profile (don't know yet the difference). I will find some remote
> registry editing tool, and i can do that from the server. Now, it's just a
> matter of finding a tool like that!
> thanks
> David
>
> "Steven L Umbach" wrote:
>
>> You are right they need to be local administrators. I don't know of any
>> easy
>> workaround for you but what I would look at is using Group Policy startup
>> or
>> shutdown scripts which run in system context that you might be able to
>> make
>> some use of. If the computers are shut down before classes change you
>> could
>> try to have different Group Policy settings for what you need for the
>> various classes and then change the Group Policy before the new class and
>> run gpupdate on the domain controller and hopefully when the computers
>> startup again they will have the new Group Policy firewall settings or
>> possibly even try a logon script with gpupdate which offhand I can't
>> remember if that works for a regular user. You could have several Group
>> Policies configured for just the firewall settings and linked to the
>> container that the computers are in and enable only the one you want for
>> the
>> new class. You can use rsop.msc on a XP Pro domain member to see the
>> current
>> Group Policy settings for a user/computer and the GPO that is enforcing
>> the
>> setting. --- Steve
>>
>>
>> "david carvalho" <(E-Mail Removed)> wrote in
>> message
>> news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
>> > Hi!
>> > I have a 30 XP pro machine lab in a windows 2003 server domain.
>> > For some classes it is necessary to change the workstation's firewall
>> > settings, or even disable it completly, and then enable it for the
>> > following
>> > class. Please correct me if I'm wrong, but I can't see a way of doing
>> > this
>> > on
>> > the 2003 server through AD.
>> > i was thinking about a script, but since they are unprivileged users,
>> > the
>> > can't run it, right ?
>> > Any help is welcome!
>> > Thanks
>> > Best regards.
>> > David
>>
>>
>>

As far as Group Policy I was proposing that you have one for each class that
had nothing but the Windows Firewall settings you want name Class1FW,
Class2FW, or such. Then you enable just the one you want before class and
run gpupdate on the dc as you can enable/disable a GPO without unlinking or
deleting it. Then when the computers start up for the new class they should
check the domain controller for Group Policy and apply the GPO that is
active for the FW settings.

As far as trusts between domains/forests that has nothing to do with Group
Policy. You manage what Group Policy applies to users by where the GPO is
applied and where the user/computer accounts are located as far as
containers/OUs. Of course you would need the ability to create and manage
Group Policies and the Active Directory objects that are used in your
classes [users/computers] The domain profile applies when the computer
detects that it is connected to the domain and the standard profile is used
when the computer does not such as for remote laptop users.

You can edit the registry remotely using your computer via regedit/file -
connect network registry assuming you have file and print sharing access to
the computers. Another possibility is you could the utility psexec from
SysInternals to run commands on remote computers that you have administrator
access to and file and print sharing connectivity. You could use it for
instance to run .reg files that could change the registry. Psexec has the
ability to run a command against a list of computers in a text file that
could help automate the process. --- Steve

http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/kb/310516 --- info on using .reg files

"david carvalho" <(E-Mail Removed)> wrote in message
news:FEE73450-D731-4835-827E-(E-Mail Removed)...
> Hi !
> Thanks for the reply. I could use that, but the problem is that can't set
> different policy groups on the workstations,because all of them may be
> used
> in that class.
> Also I can't do that for users, because my server has a trust relationship
> to another server, and that one is doing authentication. I've found the
> registry keys that enable/disable firewall settings for domain profile and
> standard profile (don't know yet the difference). I will find some remote
> registry editing tool, and i can do that from the server. Now, it's just a
> matter of finding a tool like that!
> thanks
> David
>
> "Steven L Umbach" wrote:
>
>> You are right they need to be local administrators. I don't know of any
>> easy
>> workaround for you but what I would look at is using Group Policy startup
>> or
>> shutdown scripts which run in system context that you might be able to
>> make
>> some use of. If the computers are shut down before classes change you
>> could
>> try to have different Group Policy settings for what you need for the
>> various classes and then change the Group Policy before the new class and
>> run gpupdate on the domain controller and hopefully when the computers
>> startup again they will have the new Group Policy firewall settings or
>> possibly even try a logon script with gpupdate which offhand I can't
>> remember if that works for a regular user. You could have several Group
>> Policies configured for just the firewall settings and linked to the
>> container that the computers are in and enable only the one you want for
>> the
>> new class. You can use rsop.msc on a XP Pro domain member to see the
>> current
>> Group Policy settings for a user/computer and the GPO that is enforcing
>> the
>> setting. --- Steve
>>
>>
>> "david carvalho" <(E-Mail Removed)> wrote in
>> message
>> news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
>> > Hi!
>> > I have a 30 XP pro machine lab in a windows 2003 server domain.
>> > For some classes it is necessary to change the workstation's firewall
>> > settings, or even disable it completly, and then enable it for the
>> > following
>> > class. Please correct me if I'm wrong, but I can't see a way of doing
>> > this
>> > on
>> > the 2003 server through AD.
>> > i was thinking about a script, but since they are unprivileged users,
>> > the
>> > can't run it, right ?
>> > Any help is welcome!
>> > Thanks
>> > Best regards.
>> > David
>>
>>
>>

Hi !
Ok, thanks ! I'll take a look at those !
Best regards.
David

"Steven L Umbach" wrote:

> As far as Group Policy I was proposing that you have one for each class that
> had nothing but the Windows Firewall settings you want name Class1FW,
> Class2FW, or such. Then you enable just the one you want before class and
> run gpupdate on the dc as you can enable/disable a GPO without unlinking or
> deleting it. Then when the computers start up for the new class they should
> check the domain controller for Group Policy and apply the GPO that is
> active for the FW settings.
>
> As far as trusts between domains/forests that has nothing to do with Group
> Policy. You manage what Group Policy applies to users by where the GPO is
> applied and where the user/computer accounts are located as far as
> containers/OUs. Of course you would need the ability to create and manage
> Group Policies and the Active Directory objects that are used in your
> classes [users/computers] The domain profile applies when the computer
> detects that it is connected to the domain and the standard profile is used
> when the computer does not such as for remote laptop users.
>
> You can edit the registry remotely using your computer via regedit/file -
> connect network registry assuming you have file and print sharing access to
> the computers. Another possibility is you could the utility psexec from
> SysInternals to run commands on remote computers that you have administrator
> access to and file and print sharing connectivity. You could use it for
> instance to run .reg files that could change the registry. Psexec has the
> ability to run a command against a list of computers in a text file that
> could help automate the process. --- Steve
>
> http://www.sysinternals.com/Utilities/PsExec.html --- psexec
> http://support.microsoft.com/kb/310516 --- info on using .reg files
>
> "david carvalho" <(E-Mail Removed)> wrote in message
> news:FEE73450-D731-4835-827E-(E-Mail Removed)...
> > Hi !
> > Thanks for the reply. I could use that, but the problem is that can't set
> > different policy groups on the workstations,because all of them may be
> > used
> > in that class.
> > Also I can't do that for users, because my server has a trust relationship
> > to another server, and that one is doing authentication. I've found the
> > registry keys that enable/disable firewall settings for domain profile and
> > standard profile (don't know yet the difference). I will find some remote
> > registry editing tool, and i can do that from the server. Now, it's just a
> > matter of finding a tool like that!
> > thanks
> > David
> >
> > "Steven L Umbach" wrote:
> >
> >> You are right they need to be local administrators. I don't know of any
> >> easy
> >> workaround for you but what I would look at is using Group Policy startup
> >> or
> >> shutdown scripts which run in system context that you might be able to
> >> make
> >> some use of. If the computers are shut down before classes change you
> >> could
> >> try to have different Group Policy settings for what you need for the
> >> various classes and then change the Group Policy before the new class and
> >> run gpupdate on the domain controller and hopefully when the computers
> >> startup again they will have the new Group Policy firewall settings or
> >> possibly even try a logon script with gpupdate which offhand I can't
> >> remember if that works for a regular user. You could have several Group
> >> Policies configured for just the firewall settings and linked to the
> >> container that the computers are in and enable only the one you want for
> >> the
> >> new class. You can use rsop.msc on a XP Pro domain member to see the
> >> current
> >> Group Policy settings for a user/computer and the GPO that is enforcing
> >> the
> >> setting. --- Steve
> >>
> >>
> >> "david carvalho" <(E-Mail Removed)> wrote in
> >> message
> >> news:C4B82401-B716-4CA0-8E85-(E-Mail Removed)...
> >> > Hi!
> >> > I have a 30 XP pro machine lab in a windows 2003 server domain.
> >> > For some classes it is necessary to change the workstation's firewall
> >> > settings, or even disable it completly, and then enable it for the
> >> > following
> >> > class. Please correct me if I'm wrong, but I can't see a way of doing
> >> > this
> >> > on
> >> > the 2003 server through AD.
> >> > i was thinking about a script, but since they are unprivileged users,
> >> > the
> >> > can't run it, right ?
> >> > Any help is welcome!
> >> > Thanks
> >> > Best regards.
> >> > David
> >>
> >>
> >>
>
>
>