Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile

From: Erik (umetricsdev_at_umetrics.com)
Date: 12/01/04 

Date: Wed, 1 Dec 2004 15:14:20 +0100

Hello again,

The issue isn't just with laptops, but with workstations too (that never
leave the building and never hibernate). So hibernation most likely isn't
the cause of the problem.

I have checked the domain suffix (in Control Panel, System, Computer Name,
Change-button, More button) and also at the local are network connection and
they are the same in all places at least now on my machine (when all is
working). We use DHCP to configure the TCP/IP settings of the clients and
set among other things the DNS domain name.

So I'll have to wait until the problem happens the next time to check both
the domain suffixes and the RSOP on the computer that experiences the
problem.

/ Erik

"Rebecca Chen [MSFT]" <v-rebc@online.microsoft.com> wrote in message
news:l6F7wK51EHA.764@cpmsftngxa10.phx.gbl...
> Hi Erik,
>
> Good information. However, there is obvious cause we can find to resolve
> this issue. In addition, I would like to confirm that if you hibernate the
> laptop and resume it, or turn off/turn on the laptop when you connect to
> the domain. I mean, if you use the laptop outside of the office, hibernate
> it and connect to the office, resume the laptop, the GPO will not be
> applied and the firewall will be turned on. Is this the case?
>
> Since this issue occurs occasionally, please issue the RSOP (you are right
> that it is equal gpresult /v, however, it is a GUI tool), we can see if
> the
> firewall policy has been correctly applied.
>
> In addition, please check XP's fully configured domain suffix. Firewall
> Group Policy is segmented into two applications, the domain profile and
> the
> standard profile. What determines the use of the domain profile is the
> matching of the DNS primary domain suffix to the name of the AD domain
> for
> the Network connection that the Windows Firewall is assigned to. If there
> is no DNS primary domain suffix (workgroup) or the DNS suffix does not
> match the name of the clients current AD domain then the standard profile
> is used. This toggling effect could be what is causing your issue. If the
> Windows XP Pro / Firewall client is using a non configured Windows
> Firewall
> profile inadvertently then this could be how your are loosing your
> intended
> Firewall configuration.
>
> Any update, let us get in touch!
>
> Best regards,
>
> Rebecca Chen
>
> MCSE2000 MCDBA CCNA
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.