Re: XP machine removed from domain still gets domain policy
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Tue, 1 May 2007 23:33:39 -0700
I did not respond before because I wanted to test this. My test shows that when a computer is removed from a domain (that had a GPO setting the Firewall settings), the Firewall settings revert back to the default and local administrators can change the settings.
So, it would appear that something strange happened to your computer or I don't understand the scenario.
When you say "removed and is now in a workgroup", did you do this using Control Panel, System, Computer Name, Change... dialog or just by connecting the computer to a different LAN? In the later case, whatever Firewall settings were made by the GPO for the "Standard Profile" will be the active firewall settings.
When I ran gpresult on the computer I removed from the domain, I got this result below. Note:
a. the "OS Configuration" is "Standalone Workstation"
b. the "Domain Type: is "N/A<Local Computer>
c. "Group Policy was applied from:" is "discr2.Discovery.MyRoot" which is the fully qualified name of the Domain Controller in the Domain that the computer used to be a member of
d. the only Group Policy being applied is the "Local Group Policy"
I classify item c. in this case as a "red herring" - this is left over information from when the computer was in the domain and does not mean that the computer is still applying GPOs from the Domain.
The other items indicate that indeed this computer is not in a domain and is not getting GPOs from anywhere.
Now, there are some settings that can be made via GPO from a Domain that are not "True Policies". These settings Do Not get undone when a computer is removed from the scope of the GPO. But, the Firewall settings are not in this category.
In the Group Policy Object Editor, if you select Administrative Templates, then click View, Filtering, there is a check box "Only show policy settings taht can be fully managed". If this has a check mark, the Group Policy Object Editor will only show the settings that are "True Policies". You'll notice that the Network, Network Connections, Windows Firewall items all appear when this check box has a check mark - they are "True Policies".
The command
netsh firewall show state
will tell you whether the "Domain" or "Standard" firewall profile is the profile currently in use.
C:\Documents and Settings\Administrator>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 01/May/2007 at 11:11:17 PM
RSOP results for XPSP2BASE\Administrator on XPSP2BASE : Logging Mode
---------------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Standalone Workstation
OS Version: 5.1.2600
Domain Name: XPSP2BASE
Domain Type: N/A<Local Computer>
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: Yes
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 01/May/2007 at 10:57:19 PM
Group Policy was applied from: discr2.Discovery.MyRoot
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
USER SETTINGS
--------------
Last time Group Policy was applied: 01/May/2007 at 10:57:27 PM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
None
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message news:eqWTxb1gHHA.588@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have an XP machine that was a member of our 2k AD domain. The machine has since been removed and is now in a workgroup. One of the domain GPO's disabled the XP firewall and made it so that all options are greyed out, now I would like to enable the XP firewall, but can;t due to the policy still taking affect. I have ran gpresult and it say that the last policy applied was from one of our DC's (a short time ago). I have also tried to re-enabe in the registry but it does not let me activate the firewall :(.
Any ideas?
.
- Prev by Date: Re: Set default to "Log Off" not "Sleep" on Vista
- Next by Date: Re: W2K3 R2 is not logging/auditing failure events
- Previous by thread: Re: Copy GPO
- Next by thread: Re: localgroup administrators
- Index(es):
Relevant Pages
|
