Help with using GPO to configure XP Firewall

[Guest]

I have just installed SUS and am looking to deploy XP SP2. Our network is
mixed with XP and 2000 clients with the servers being 2000. I want to be able
to use GPO to control the firewall. From my understanding, once I do this
from a XP SP2 client then I have to use XP everytime I need to configure my
GPO but this isn't really an option in my case because the other admins use
Windows 2000 and they need to have access to the GPO as well.
The MS whitepaper on using GPO to configure the firewall says:
"Once you update your Group Policy objects, you can only modify them from a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group Policy
settings from computers running Windows 2000"

Where can I find this update? I have looked for a couple hours now and I
can't find it. Or is there a better way to do this? I really need to use the
GPO and be able to configure it with a 2000 Server.
Any help is greatly appreciated, I am hoping to get this into a test
environment by Monday morning.
Thanks

PS, I hope this makes sense, it is 5:30 am and I am at the end of a 13 hour
graveyard shift, if I said something stupid I am sorry- I will clarify any
confusion when I check back later. Thanks

 

[Mark Renoden [MSFT]]

Hi Michael

The update that your refer to may simply be the XP SP2 .adm package
available from:

http://www.microsoft.com/downloads/...4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Also be aware of:

http://support.microsoft.com/default.aspx?kbid=842933

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

That did help somewhat, thanks. I did have to apply the hotfix in your second
link but that is ok. I still cannot get the GPO to work though.
I have read almost every white paper I can find and it doesn't seem like I
am doing anything wrong, I think I am missing something small. I have
installed Server 2003 Administration Pack on my Windows XP SP2 PC. I am a
domain adminstrator in AD and have set up a test group with a XP SP2 and a
2000 machine.
I have enabled "Protect all network connections" and "Do not allow
exceptions" with the Admin Pack and have confirmed that this has replicated
to the DC's. On the test XP machine I have turned off the firewall because I
want AD to control it. I have rebooted the client several times. I am running
a constant PING to the PC and it is PINGing, nothing is being blocked, I even
RDC into it.
It almost seems like even though the policies are showing up on the DC they
don't know what to do or how to enforce it. Does anyone know what I need to
do to make this GPO work properly?
Thanks and I am truely thankful for those of you who share your knowledge
with those who are less knowledgable. As my expierence increases I do hope to
give back to the community.

Hi Michael

The update that your refer to may simply be the XP SP2 .adm package
available from:

http://www.microsoft.com/downloads/...4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Also be aware of:

http://support.microsoft.com/default.aspx?kbid=842933

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

I have just installed SUS and am looking to deploy XP SP2. Our network is
mixed with XP and 2000 clients with the servers being 2000. I want to be
able
to use GPO to control the firewall. From my understanding, once I do this
from a XP SP2 client then I have to use XP everytime I need to configure
my
GPO but this isn't really an option in my case because the other admins
use
Windows 2000 and they need to have access to the GPO as well.
The MS whitepaper on using GPO to configure the firewall says:
"Once you update your Group Policy objects, you can only modify them from
a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group
Policy
settings from computers running Windows 2000"

Where can I find this update? I have looked for a couple hours now and I
can't find it. Or is there a better way to do this? I really need to use
the
GPO and be able to configure it with a 2000 Server.
Any help is greatly appreciated, I am hoping to get this into a test
environment by Monday morning.
Thanks

PS, I hope this makes sense, it is 5:30 am and I am at the end of a 13
hour
graveyard shift, if I said something stupid I am sorry- I will clarify any
confusion when I check back later. Thanks

 

[Mark Renoden [MSFT]]

Hi Michael

I guess my first question is what objects are in the OU to which the policy
is linked? You seem to be saying that you created a group which contains
the computer accounts for the XP SP2 client and the 2000 client. If it's
the case that you've only put the group in the OU instead of the computer
objects, this explains it. Policy will only apply to the actual computer
(or user) objects that exist in an OU.

Secondly, the Windows Firewall comes with some default exceptions. You can
view these in the Exceptions tab of the Windows Firewall applet in Control
Panel. This might explain why your tests for connectivity have been
successful.

Lastly, running a gpresult /z (Win XP) or a gpresult /v (Win 2000) will show
you which policies have applied to the computer and currently logged in
user. If you pipe this to a text file, it makes for easier reading.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

That did help somewhat, thanks. I did have to apply the hotfix in your
second
link but that is ok. I still cannot get the GPO to work though.
I have read almost every white paper I can find and it doesn't seem like I
am doing anything wrong, I think I am missing something small. I have
installed Server 2003 Administration Pack on my Windows XP SP2 PC. I am a
domain adminstrator in AD and have set up a test group with a XP SP2 and a
2000 machine.
I have enabled "Protect all network connections" and "Do not allow
exceptions" with the Admin Pack and have confirmed that this has
replicated
to the DC's. On the test XP machine I have turned off the firewall because
I
want AD to control it. I have rebooted the client several times. I am
running
a constant PING to the PC and it is PINGing, nothing is being blocked, I
even
RDC into it.
It almost seems like even though the policies are showing up on the DC
they
don't know what to do or how to enforce it. Does anyone know what I need
to
do to make this GPO work properly?
Thanks and I am truely thankful for those of you who share your knowledge
with those who are less knowledgable. As my expierence increases I do hope
to
give back to the community.

Hi Michael

The update that your refer to may simply be the XP SP2 .adm package
available from:


http://www.microsoft.com/downloads/...4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Also be aware of:

http://support.microsoft.com/default.aspx?kbid=842933

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have just installed SUS and am looking to deploy XP SP2. Our network
is
mixed with XP and 2000 clients with the servers being 2000. I want to
be
able
to use GPO to control the firewall. From my understanding, once I do
this
from a XP SP2 client then I have to use XP everytime I need to
configure
my
GPO but this isn't really an option in my case because the other admins
use
Windows 2000 and they need to have access to the GPO as well.
The MS whitepaper on using GPO to configure the firewall says:
"Once you update your Group Policy objects, you can only modify them
from
a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group
Policy
settings from computers running Windows 2000"

Where can I find this update? I have looked for a couple hours now and
I
can't find it. Or is there a better way to do this? I really need to
use
the
GPO and be able to configure it with a 2000 Server.
Any help is greatly appreciated, I am hoping to get this into a test
environment by Monday morning.
Thanks

PS, I hope this makes sense, it is 5:30 am and I am at the end of a 13
hour
graveyard shift, if I said something stupid I am sorry- I will clarify
any
confusion when I check back later. Thanks

 

[Mark Renoden [MSFT]]

Hi Michael

I guess my first question is what objects are in the OU to which the policy
is linked? You seem to be saying that you created a group which contains
the computer accounts for the XP SP2 client and the 2000 client. If it's
the case that you've only put the group in the OU instead of the computer
objects, this explains it. Policy will only apply to the actual computer
(or user) objects that exist in an OU.

Secondly, the Windows Firewall comes with some default exceptions. You can
view these in the Exceptions tab of the Windows Firewall applet in Control
Panel. This might explain why your tests for connectivity have been
successful.

Lastly, running a gpresult /z (Win XP) or a gpresult /v (Win 2000) will show
you which policies have applied to the computer and currently logged in
user. If you pipe this to a text file, it makes for easier reading.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

That did help somewhat, thanks. I did have to apply the hotfix in your
second
link but that is ok. I still cannot get the GPO to work though.
I have read almost every white paper I can find and it doesn't seem like I
am doing anything wrong, I think I am missing something small. I have
installed Server 2003 Administration Pack on my Windows XP SP2 PC. I am a
domain adminstrator in AD and have set up a test group with a XP SP2 and a
2000 machine.
I have enabled "Protect all network connections" and "Do not allow
exceptions" with the Admin Pack and have confirmed that this has
replicated
to the DC's. On the test XP machine I have turned off the firewall because
I
want AD to control it. I have rebooted the client several times. I am
running
a constant PING to the PC and it is PINGing, nothing is being blocked, I
even
RDC into it.
It almost seems like even though the policies are showing up on the DC
they
don't know what to do or how to enforce it. Does anyone know what I need
to
do to make this GPO work properly?
Thanks and I am truely thankful for those of you who share your knowledge
with those who are less knowledgable. As my expierence increases I do hope
to
give back to the community.

Hi Michael

The update that your refer to may simply be the XP SP2 .adm package
available from:


http://www.microsoft.com/downloads/...4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Also be aware of:

http://support.microsoft.com/default.aspx?kbid=842933

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have just installed SUS and am looking to deploy XP SP2. Our network
is
mixed with XP and 2000 clients with the servers being 2000. I want to
be
able
to use GPO to control the firewall. From my understanding, once I do
this
from a XP SP2 client then I have to use XP everytime I need to
configure
my
GPO but this isn't really an option in my case because the other admins
use
Windows 2000 and they need to have access to the GPO as well.
The MS whitepaper on using GPO to configure the firewall says:
"Once you update your Group Policy objects, you can only modify them
from
a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group
Policy
settings from computers running Windows 2000"

Where can I find this update? I have looked for a couple hours now and
I
can't find it. Or is there a better way to do this? I really need to
use
the
GPO and be able to configure it with a 2000 Server.
Any help is greatly appreciated, I am hoping to get this into a test
environment by Monday morning.
Thanks

PS, I hope this makes sense, it is 5:30 am and I am at the end of a 13
hour
graveyard shift, if I said something stupid I am sorry- I will clarify
any
confusion when I check back later. Thanks

 

[Mark Renoden [MSFT]]

Hi Michael

I guess my first question is what objects are in the OU to which the policy
is linked? You seem to be saying that you created a group which contains
the computer accounts for the XP SP2 client and the 2000 client. If it's
the case that you've only put the group in the OU instead of the computer
objects, this explains it. Policy will only apply to the actual computer
(or user) objects that exist in an OU.

Secondly, the Windows Firewall comes with some default exceptions. You can
view these in the Exceptions tab of the Windows Firewall applet in Control
Panel. This might explain why your tests for connectivity have been
successful.

Lastly, running a gpresult /z (Win XP) or a gpresult /v (Win 2000) will show
you which policies have applied to the computer and currently logged in
user. If you pipe this to a text file, it makes for easier reading.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

That did help somewhat, thanks. I did have to apply the hotfix in your
second
link but that is ok. I still cannot get the GPO to work though.
I have read almost every white paper I can find and it doesn't seem like I
am doing anything wrong, I think I am missing something small. I have
installed Server 2003 Administration Pack on my Windows XP SP2 PC. I am a
domain adminstrator in AD and have set up a test group with a XP SP2 and a
2000 machine.
I have enabled "Protect all network connections" and "Do not allow
exceptions" with the Admin Pack and have confirmed that this has
replicated
to the DC's. On the test XP machine I have turned off the firewall because
I
want AD to control it. I have rebooted the client several times. I am
running
a constant PING to the PC and it is PINGing, nothing is being blocked, I
even
RDC into it.
It almost seems like even though the policies are showing up on the DC
they
don't know what to do or how to enforce it. Does anyone know what I need
to
do to make this GPO work properly?
Thanks and I am truely thankful for those of you who share your knowledge
with those who are less knowledgable. As my expierence increases I do hope
to
give back to the community.

Hi Michael

The update that your refer to may simply be the XP SP2 .adm package
available from:


http://www.microsoft.com/downloads/...4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en

Also be aware of:

http://support.microsoft.com/default.aspx?kbid=842933

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

I have just installed SUS and am looking to deploy XP SP2. Our network
is
mixed with XP and 2000 clients with the servers being 2000. I want to
be
able
to use GPO to control the firewall. From my understanding, once I do
this
from a XP SP2 client then I have to use XP everytime I need to
configure
my
GPO but this isn't really an option in my case because the other admins
use
Windows 2000 and they need to have access to the GPO as well.
The MS whitepaper on using GPO to configure the firewall says:
"Once you update your Group Policy objects, you can only modify them
from
a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group
Policy
settings from computers running Windows 2000"

Where can I find this update? I have looked for a couple hours now and
I
can't find it. Or is there a better way to do this? I really need to
use
the
GPO and be able to configure it with a 2000 Server.
Any help is greatly appreciated, I am hoping to get this into a test
environment by Monday morning.
Thanks

PS, I hope this makes sense, it is 5:30 am and I am at the end of a 13
hour
graveyard shift, if I said something stupid I am sorry- I will clarify
any
confusion when I check back later. Thanks