Re: XP machine removed from domain still gets domain policy
- From: Scott <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 9 Jun 2007 09:44:01 -0700
Bruce,
If I understand you correctly, I could use this GP to tell a laptop
computer that when it is connected to the LAN with the domain controller on
it, then turn off the firewall. However, if it is not connected to the LAN
with the domain controller it will turn on the firewall? Is that the
Prohibit use of the Internet Connection Firewall on your DNS domain network?
How does that policy work the firewall in XP SP2? Or does it? Should I just
configure the domain and Standard profile for the laptops in our domain?
Thank you in advance for your help.
"Bruce Sanderson" wrote:
I did not respond before because I wanted to test this. My test shows that.
when a computer is removed from a domain (that had a GPO setting the
Firewall settings), the Firewall settings revert back to the default and
local administrators can change the settings.
So, it would appear that something strange happened to your computer or I
don't understand the scenario.
When you say "removed and is now in a workgroup", did you do this using
Control Panel, System, Computer Name, Change... dialog or just by connecting
the computer to a different LAN? In the later case, whatever Firewall
settings were made by the GPO for the "Standard Profile" will be the active
firewall settings.
When I ran gpresult on the computer I removed from the domain, I got this
result below. Note:
a. the "OS Configuration" is "Standalone Workstation"
b. the "Domain Type: is "N/A<Local Computer>
c. "Group Policy was applied from:" is "discr2.Discovery.MyRoot" which is
the fully qualified name of the Domain Controller in the Domain that the
computer used to be a member of
d. the only Group Policy being applied is the "Local Group Policy"
I classify item c. in this case as a "red herring" - this is left over
information from when the computer was in the domain and does not mean that
the computer is still applying GPOs from the Domain.
The other items indicate that indeed this computer is not in a domain and is
not getting GPOs from anywhere.
Now, there are some settings that can be made via GPO from a Domain that are
not "True Policies". These settings Do Not get undone when a computer is
removed from the scope of the GPO. But, the Firewall settings are not in
this category.
In the Group Policy Object Editor, if you select Administrative Templates,
then click View, Filtering, there is a check box "Only show policy settings
taht can be fully managed". If this has a check mark, the Group Policy
Object Editor will only show the settings that are "True Policies". You'll
notice that the Network, Network Connections, Windows Firewall items all
appear when this check box has a check mark - they are "True Policies".
The command
netsh firewall show state
will tell you whether the "Domain" or "Standard" firewall profile is the
profile currently in use.
C:\Documents and Settings\Administrator>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 01/May/2007 at 11:11:17 PM
RSOP results for XPSP2BASE\Administrator on XPSP2BASE : Logging Mode
---------------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Standalone Workstation
OS Version: 5.1.2600
Domain Name: XPSP2BASE
Domain Type: N/A<Local Computer>
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: Yes
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 01/May/2007 at 10:57:19 PM
Group Policy was applied from: discr2.Discovery.MyRoot
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
USER SETTINGS
--------------
Last time Group Policy was applied: 01/May/2007 at 10:57:27 PM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
None
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:eqWTxb1gHHA.588@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have an XP machine that was a member of our 2k AD domain. The machine
has since been removed and is now in a workgroup. One of the domain GPO's
disabled the XP firewall and made it so that all options are greyed out,
now I would like to enable the XP firewall, but can;t due to the policy
still taking affect. I have ran gpresult and it say that the last policy
applied was from one of our DC's (a short time ago). I have also tried to
re-enabe in the registry but it does not let me activate the firewall :(.
Any ideas?
- Prev by Date: Re: Startup Script Question!
- Next by Date: Re: Group Policy Manager "catastrophic error"
- Previous by thread: Re: Pop Up Blocker Not applied - repost
- Next by thread: Re: Group Policy Manager "catastrophic error"
- Index(es):
Relevant Pages
|
