Allow remote administration exception policy does not apply

[Pierrot Robert]

Hi,

I have created a GPO for my domain with the "allow remote administration
exception" policy enabled for the Windows Fireall domain profile.

However, the policy does not apply to the computers in the domain. The
exception never displays in the Windows Firewall settings. All computers are
Windows XP SP2 and the DC are 2003/2000.

I have other GPOs for the same domain (disable system restore, etc.) and
they work well.

I tried to enable this policy in the "Default Domain Policy" object, in both
"Domain Profile" and "Standard Profile" and it did not make it.

Any idea ?

 

[Steven L Umbach]

Make sure that the computers are within the scope of management of the Group
Policy. In other words the computers must be in the container/OU where the
GPO is linked to or a child container, etc. Try running the Resultant Set of
Policy mmc snapin on one of the Windows 2003 domain controllers in both
logging and planning mode to see what is reported as what policy is being
applied. Planning mode shows what should apply if everything is working as
it should and logging mode shows that actual policy that has been applied.
You can also run RSOP locally via the mmc snapin on the XP Pro computer.
The GPO needs to be linked to the container where you want it applied to and
authenticated users would need read/apply permissions to the GPO which is
the default setting. --- Steve

 

[Pierrot Robert]

I ran RSoP on my computer in logging mode and it shows that the policy is
applying.

But if I look in the Windows Firewall settings, exceptions tab, the sertting
does not show.

My DCs run english OS but the workstations run french OS. Is it an issue ?

 

[Steven L Umbach]

It could be that it will not show in the local Windows Firewall settings.
What I would try is to see if you can manage the computers remotely or not
and use the command netsh firewall show state verbose = enable to see what
it shows for Remote admin mode. Below is an example of such output on my
computer. --- Steve

D:\Documents and Settings\Steve>netsh firewall show state verbose = enable

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable <<<<<<<<<<<<<<<<<<***
Scope: 192.168.1.0/255.255.255.0

Local exceptions allowed by group policy:
-------------------------------------------------------------------
Open ports = Enable
Allowed programs = Enable

Log settings:
-------------------------------------------------------------------
File location = D:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable

Service settings:
Mode Customized Name
-------------------------------------------------------------------

 

[Pierrot Robert]

You are right, it does not show in the Windows Firewall settings but it is
enabled.

It is weird that the Windows Firewall settings have a yes/no setting for
Group Policy but they do not show there.

 

[Pierrot Robert]

I just found out that File and Print sharing has to be installed for remote
administration to work.

Is it by desing ?

 

[Torgeir Bakken \(MVP\)]

I just found out that File and Print sharing has to be
installed for remote administration to work.

Is it by desing ?

Hi,

Yes, because it is that component that installs the Server service
that is needed for remote administration to work...