Re: Managing Group Policy on XP SP2

From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 09/29/04 

Date: Tue, 28 Sep 2004 21:41:10 -0700

I just checked this out and found the same behavior on my Win2K machine when
viewing an XP, SP2 policy--specifically those two Windows Firewall policies:

Windows Firewall: Define program exceptions
Windows Firewall: Define port exceptions

do not appear if I view the GPO from Win2K. Frankly, I think this is a bug
that you've found. I can see no reason, in looking at the ADM file, why they
should not appear. Maybe someone on this NG from Microsoft can check into
it? 

-- 
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
"d mac" <dmac@discussions.microsoft.com> wrote in message 
news:5B50E731-E7C6-4743-A926-7B57C9A4B775@microsoft.com...
> I'm glad I'm not the only one.  I will definitely know if I find any 
> fixes.
> For the time being, I'm enabling the policy through the workstation that 
> has
> XP SP2 and it seems to be applying through the domain controllers, however
> the programs don't show up on the list in the Windows Firewall like I 
> would
> expect.  Can you see if this is the same experience for you?  I'm guessing
> it's doing this because the policy isn't listed on the servers but still
> affects the machines as a policy.
>
> d mac
>
>
> "billj" wrote:
>
>> I've been facing the EXACT same issue since yesterday.  If you come up 
>> with a
>> solution, it would be great to post it here.  I'll do the same.
>>
>> billj
>>
>> "d mac" wrote:
>>
>> > I imported the ADM files from the XP SP2 workstation and still some of 
>> > the
>> > policies are missing (as mentioned below).  I even imported the ADM 
>> > files
>> > from the Microsoft website (at
>> > http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&DisplayLang=en) 
>> > and still there are some missing.
>> >
>> > It seems like there might be certain policies that aren't compatible 
>> > with
>> > Windows 2000 Server.  Does anyone know what I should try next?
>> >
>> > Thanks,
>> >
>> > d mac
>> >
>> > "d mac" wrote:
>> >
>> > > Hi there,
>> > >
>> > > I downloaded the 842933 patch before opening the GPO on the XP SP2
>> > > workstation, so I haven't had any of the "The following entry in the
>> > > [strings] section is too long and has been truncated" errors.  But I 
>> > > still
>> > > have the issue where not all the policies are showing up on the 
>> > > Windows 2000
>> > > Server vs. the XP SP2 workstation.  Is this a known issue?
>> > >
>> > > I will try Hunter's suggestion on manually importing the ADM files on 
>> > > the
>> > > Windows 2000 server to see if that updates all the policies on the 
>> > > domain
>> > > controllers to match the same amount showing on the XP SP2 
>> > > workstation.
>> > >
>> > > I'll let you know how it goes.
>> > >
>> > > Thanks
>> > >
>> > > d mac
>> > >
>> > > "Bruce Sanderson" wrote:
>> > >
>> > > > http://support.microsoft.com/?kbid=842933 documents this problem 
>> > > > and has a
>> > > > patch available.
>> > > >
>> > > > -- 
>> > > > Bruce Sanderson MVP
>> > > >
>> > > > It's perfectly useless to know the right answer to the wrong 
>> > > > question.
>> > > >
>> > > >
>> > > > "Hunter" <anonymous@discussions.microsoft.com> wrote in message
>> > > > news:1b9601c4a1a0$6a628fa0$a401280a@phx.gbl...
>> > > > > You might try gathering up the XP .adm templates, copying
>> > > > > them to temp folder on the 2000 DC.  Then opening the A/D
>> > > > > Group policy on the 2000 box right click on the
>> > > > > Admisitrative templates container, choose add snap-in.
>> > > > >
>> > > > > It'll show the ones currently in use in the wnnt/inf
>> > > > > folder,  Browse over to the new ones in the temp folder
>> > > > > and select add, it should ask you about overwriting etc.
>> > > > >
>> > > > > Choose yes.
>> > > > >
>> > > > > Once the new ones are copied in you will probably get a
>> > > > > bunch messages stating the new ones are too long or
>> > > > > something, but you'll have to hunt down an update for this
>> > > > > I think I found it at microsoft tech experts page on XP,
>> > > > > but it didn't seem to want to be found with search.
>> > > > >
>> > > > > Anyways, maybe that will help.
>> > > > >
>> > > > > Regards
>> > > > >
>> > > > > Hunter
>> > > > >
>> > > > >
>> > > > >
>> > > > >>-----Original Message-----
>> > > > >>I updated our GPO on our Windows 2000 domain controllers
>> > > > > with the latest ADM
>> > > > >>files from XP SP2.  I did this by opening up the GPO on a
>> > > > > Windows XP Pro
>> > > > >>workstation with SP2 and it automatically replicated the
>> > > > > ADM files to our
>> > > > >>domain controllers.  See document at
>> > > > >>http://www.microsoft.com/technet/prodtechnol/winxppro/main
>> > > > > tain/mangxpsp2/mngdepgp.mspx
>> > > > >>
>> > > > >>However, it seems like not all of the ADM files are
>> > > > > replicating to the
>> > > > >>Windows 2000 servers.  For example, in the policy
>> > > > > path "Administrative
>> > > > >>Templates\Network\Network Connections\Windows
>> > > > > Firewall\Domain Profile" there
>> > > > >>are only 12 policies listed on the Windows 2000 Server
>> > > > > but on the XP SP2 box,
>> > > > >>there are 14 policies.  The two that are missing are:
>> > > > >>
>> > > > >>Windows Firewall: Define program exceptions
>> > > > >>Windows Firewall: Define port exceptions
>> > > > >>
>> > > > >>Is this by design or is there something wrong with the
>> > > > > replication process?
>> > > > >>It would be nice to be able to define program exceptions
>> > > > > because there are a
>> > > > >>couple programs within our environment that won't work
>> > > > > unless we can exclude
>> > > > >>them.  It would be preferable to do this through GP
>> > > > > instead of manually going
>> > > > >>to each machine and defining the program exceptions.
>> > > > >>
>> > > > >>Thanks,
>> > > > >>
>> > > > >>d mac
>> > > > >>.
>> > > > >>
>> > > >
>> > > >
>> > > >

Relevant Pages

  • Re: Spying in a corporate environment
    ... I actually just tested it with the Windows Firewall policy I mentioned below. ... :) An administrator does NOT have the ability to manually change/remove the applied policies; local administrator can modify the local machine policy, but it will not be enforced until policy is updated, at which point the domain policies override the local policy settings. ...
    (Security-Basics)
  • Re: DEFINING Port Execptions Through Group Policy
    ... Excerts from the policy follow. ... exceptions list defined by Group Policy. ... port is blocked by another policy setting, such as the "Windows Firewall: ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows Firewall (WindowsXP SP2)
    ... I've got exactly the same problem with finding the Network settings. ... > for the domain for the Windows Firewall settings under [Computer ... Now we've brought another building online w/ a new subnet. ... opened the group policy - But now those options are nowhere to ...
    (microsoft.public.win2000.group_policy)
  • Re: How to Allow Local Control of Windows Firewall on a Particular PC
    ... Sure, the Windows Firewall GPO can configured in Computer Configuration, ... Open "Group Policy Management" in the Administrative Tools. ... "Group Policy Infrastructure failed due to the error listed below. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Allow Local Control of Windows Firewall on a Particular PC
    ... Sure, the Windows Firewall GPO can configured in Computer Configuration, ... Open "Group Policy Management" in the Administrative Tools. ... "Group Policy Infrastructure failed due to the error listed below. ...
    (microsoft.public.windows.server.sbs)