Windows Firewall

[Johnfli]

How do I turn off the Windows firewall in XP using a GPO?
I try to turn it off at teh machine, but it says that a group policy is
controlling teh settings and it prevents me from modifying anythign

 

[Mark Heitbrink [MVP]]

How do I turn off the Windows firewall in XP using a GPO?

You can define a default and a domain profile within the
Administrative Templates. Just take a look inside.

I try to turn it off at teh machine, but it says that a group policy is
controlling teh settings and it prevents me from modifying anythign

So, thats the point, where you should ask your admin, why he has
configured it and why you shouldn´t be able to change it.

Mark

 

[Guest]

I have the same question. Very sorry if it’s kind of dumb but my AD has two
sub categories under Network:

Computer Configuration
Administrative Templates
Network
Offline files
Network and Dialup

It does not have anything pertaining to firewalls or settings. Any ideas as
how to add this functionality?

Thanks!

 

[Denis Wong @ Hong Kong]

Hi Jeff,

FYI.


Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=875357

br,
Denis

 

[Guest]

Thanks for input Denis,
Ok, I try to add the MMC snap-in from my XPsp2 workstation but it did
nothing. (from Page 9 of doc in KB) No window firewall settings were added to
the policy. Looks exactly the same as it did before.

When I go to the Domain Controller and try to look at the group policy I get
an endless loop of these errors?

“The following entry in the [strings] section is too long and has been
truncated…â€
What does this mean?

Is there an ADM file I can just add to our Window 2000SP4 Domain controller
directly? This seems more logical.
Why must this be done from an XP workstation?

Other notes:
I was logging as an Domain admin.
Our system.adm was dated July 17, 2004

Any input greatly appreciated.
Thanks!

 

[Denis Wong @ Hong Kong]

Hi Jeff,

You can apply the fix for the error.


"The following entry in the [strings] section is too long and has been
truncated" error message when you try to modify or to view GPOs in Windows
Server 2003, Windows XP Professional, or Windows 2000
http://support.microsoft.com/default.aspx?kbid=842933

br,
Denis

Thanks for input Denis,
Ok, I try to add the MMC snap-in from my XPsp2 workstation but it did
nothing. (from Page 9 of doc in KB) No window firewall settings were added to
the policy. Looks exactly the same as it did before.

When I go to the Domain Controller and try to look at the group policy I get
an endless loop of these errors?

"The following entry in the [strings] section is too long and has been
truncated."
What does this mean?

Is there an ADM file I can just add to our Window 2000SP4 Domain controller
directly? This seems more logical.
Why must this be done from an XP workstation?

Other notes:
I was logging as an Domain admin.
Our system.adm was dated July 17, 2004

Any input greatly appreciated.
Thanks!

Hi Jeff,

FYI.


Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=875357

br,
Denis

has
two ideas
as policy
is

 

[Guest]

Thank you replying and for the information.

Well, it worked, once. I applied the KB and rebooted. It got rid of the
errors but doesn’t display anything. I was however able to show the new
firewall GPO on my XP workstation (only once). I saved settings in my MMC and
I closed out to reboot to get the firewall change I was testing on my own XP
PC. The Firewall changed happened but I can no longer see the firewall
settings in the MMC GPO I created. I’m back to same two the directories under
Network:

Network
Offline files
Network and dialup.

I think I am authenticated on a different DC this time though. Do I need to
apply the KB to every DC even though it does nothing to see the GPO and
firewall settings?

How do I manually set the GPO from XP WS to look at an specific domain
controller. Right now the snap in only looks at the first domain controller
it sees with no way to change it. “GPOName [DC1.Domain.lan] “ The first time
it worked I think it was on DC4.

Thanks again.

------------------------------------------------------------------------------

Hi Jeff,

You can apply the fix for the error.


"The following entry in the [strings] section is too long and has been
truncated" error message when you try to modify or to view GPOs in Windows
Server 2003, Windows XP Professional, or Windows 2000
http://support.microsoft.com/default.aspx?kbid=842933

br,
Denis

Thanks for input Denis,
Ok, I try to add the MMC snap-in from my XPsp2 workstation but it did
nothing. (from Page 9 of doc in KB) No window firewall settings were added to
the policy. Looks exactly the same as it did before.

When I go to the Domain Controller and try to look at the group policy I get
an endless loop of these errors?

"The following entry in the [strings] section is too long and has been
truncated."
What does this mean?

Is there an ADM file I can just add to our Window 2000SP4 Domain controller
directly? This seems more logical.
Why must this be done from an XP workstation?

Other notes:
I was logging as an Domain admin.
Our system.adm was dated July 17, 2004

Any input greatly appreciated.
Thanks!

Hi Jeff,

FYI.


Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=875357

br,
Denis

I have the same question. Very sorry if it's kind of dumb but my AD has
two
sub categories under Network:

Computer Configuration
Administrative Templates
Network
Offline files
Network and Dialup

It does not have anything pertaining to firewalls or settings. Any ideas
as
how to add this functionality?

Thanks!



:

Johnfli schrieb:
How do I turn off the Windows firewall in XP using a GPO?

You can define a default and a domain profile within the
Administrative Templates. Just take a look inside.

I try to turn it off at teh machine, but it says that a group policy
is
controlling teh settings and it prevents me from modifying anythign

So, thats the point, where you should ask your admin, why he has
configured it and why you shouldn´t be able to change it.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

 

[Jeff_DB]

Ok , Follow up.
I installed the KB on the other 3 Domain Control and same thing. I
only see:

Network
Offline files
Network and dialup.

No mention of firewall or anything. Any Ideas?

My W/S is Windows XP SP2.
Is there a more current snap-in I'm not seeing? Is there one for
WIndows 2000 Server? (.ADM)

How does everyone else control the Win XP Firewall settings in a
Windows 2000 domain?

Thanks!
Jeff

 

[lforbes]

Ok , Follow up.
I installed the KB on the other 3 Domain Control and same
thing. I
only see:

Network
Offline files
Network and dialup.

No mention of firewall or anything. Any Ideas?

My W/S is Windows XP SP2.
Is there a more current snap-in I'm not seeing? Is there one
for
WIndows 2000 Server? (.ADM)

How does everyone else control the Win XP Firewall settings in
a
Windows 2000 domain?

Thanks!
Jeff

Hi Jeff,

Do the ADM thing manually. Never works doing it from the machine. Go
to an XP Machine with SP2 installed. Find the C:windowsinf directory
(hidden system). Copy ALL the .adm files to the C:winntinf directory
on ALL your DC’s and Any computers you run adminpak.msi on. You can
overwrite the current ADM’s as the new ones are cumulative. Unless
of course you have manually edited them.

Cheers,

Lara

 

[Jeff_DB]

Thanks Lara!
Ok, I updated all four of my Windows 2000 DCs with the following ADM in
the Winnt\INF directory. I applied the KB842933 to all of them.
Basically, nothing happened. I see no ...\Network Connections\Firewall
settings in the directory on the DC directly or through my Windows XP
desktop.

Conf.adm 39K 7/17/2004
Inetres.adm 1397K 7/23/2004
System.adm 752K 11/8/2004
Wmplayer 75K 7/17/2004
Wuau.adm 42K 5/26/2005 (WSUS v2.0 settings)

I'm testing with my personal Win XP desktop in a seperate OU. I was
able to turn the firwall ON, once. I rebooted and now I longer see the
settings at all again in AD. I tried the manual settings in KB875357
but that doesn't help because my PC is under domain policy control
(proving it did work once) and none of the commands do anything.

Anyone have any other ideas on how to control users' (Win XP SP1/SP2)
firewall settings with Windows 2000 AD Domain?

Which .ADM controls those settings? Do I have the latest version?

My WSUS and SMS implimentations are at a road block until I can figure
this one out.

Thanks!

 

[Jeff_DB]

Update.
Got it working!
The key is create a NEW policy AFTER you have copied all the .ADM files
into each servers \INF directory. I was trying to apply the new policy
to an existing policy and it was not happening. Use a separate link for
each policy you have.

Gregg Ks message got me thinking "...As a work around, I created a
whole new policy. I was then able to
drill down to this and reenter enough settings to get some
connectivity"

I'm not sure if it's a work around but it seem to be "The way it
is"

Thanks!!
J

 

[Gregg Knapp]

Wish I'd have noticed this thread before posting my own.
Ya. I'm in the same boat, though - After creating a new
policy to bypass my problem, I can no longer access the
firewall settings again to make further changes.

Ugh.

Gregg

 

[lforbes]

Hi,

The key is create a NEW policy AFTER you have copied all the .ADM
files into each servers INF directory.

Yes, ADM Updates are weird sometimes. The Reason is that the actual
ADM’s that are for the Policy are physically copied from the
C:Windowsinf into the
C:Windowssysvolmydomain.localsysvolpoliciesGUIDFORPOLICYAdm
folder when a Policy is opened (if the ADM’s are older) or if a
Policy is created.

Sometimes this doesn’t happen but it should everytime. The stupid
thing about this setup is that you end up with 1 copy of the
system.adm for Every Group Policy and at 1MB a pop that can really
take up space. Seems to me it was bad design. They should just have
one set that is registered.

I have "found" a policy GUID by adding a weird ADM and then finding it
in the SYSVOL so I knew what GUID related to what policy.

Cheers,

Lara