Re: GPO for Windows Firewall: Port Exceptions not working

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Mixit,


Meinolf and Ace are old hats to this stuff....as am I.

We all started at one point or another and - while I will not speak for either of those fine gentlemen - I can tell you that I was a bit cross-eyed at the beginning. Eventually the light does go on! Believe you me....I ain't that bright...so if I can do it so can you.

To give you a maybe not so brief overview of what Group Policy is (and the name is not doing anyone any favors...it is a bit misleading for "rookie" like yourself) and how to make heads or tails out of it consider the following:

1) You would use a Group Policy Object to accomplish a task (or set of tasks) that need to be performed for multiple computers or for multiple users.
2) So, instead of walking from computer to computer to computer to computer you simply create the Group Policy object and link it to the OU in question.

Okay...so let's stop there for a second. I used a couple of terms.....

"Link" the GPO to an "OU".......

Huh?

Okay, when you create a Group Policy Object this "object" simply lives in Active Directory (we are going Big Picture here so let's just leave that at that!). It is an object, like everything else (like a computer or a user). You can - if you wanted - create 25 GPOs and not do anything with them. Your choice!

Now, once you have created a Group Policy Object you need to "LINK" that object to an Organizational Unit (well, there are actually four places where you can link an GPO....we will get to that in a second....let's just focus - for now - on the Organizational Unit level...since that is where most of the action normally is).

Okay, so how do I link a GPO to an OU? Open up the GPMC (Group Policy Management Console) and expand the Domain selection and the choose the domain of choice and then navigate down to the "Group Policies" section. This shows you the actual Group Policy Objects that exist. Out of the box you will see only two: the Default Domain Policy and the Default Domain Controllers Policy. It is probably a *REALLY* good idea to leave these two alone. In other words: Look, but do not touch. Let's go up a couple of levels now...I just wanted you to see all of the Group Policy Objects. Go to the Domain section. Select the domain of choice (in most environments there is probably only one domain). You will see all of the Organizational Units. Now, notice that I specifically stated OUs. You do not see the containers (such as the USERS container or the COMPUTERS container). This is because you can not link a GPO to a container (okay...okay...not 100% true....as we will see in a moment...just go with that for the moment). If you were to - inside the GPMC - right click on one of those OUs you would see an option to "Link an existing GPO". You would also see an option to "Create and Link a GPO". So, if you did not already have the GPO that you wanted you could create it and link it that that OU. If the GPO already exists, you simply select "Link an existing GPO".....

Now - more on GPOs specifically. There are two sides to this topic: the Users side and the Computers side. When you create a GPO you are *normally* focused on one side or the other.

For example, one of the things that I do when we take over a new client is to create a "CLIENT WS GPO" and I populate this GPO with computer-side things. I, for example, disable the Windows Firewall. I do lots and lots and lots of things....all of them are found in the computer side. I then link this GPO to the OU that contains all of the computer account objects.

I also create a "CLIENT USER GPO" and I populate this GPO with user-side things. I, for example, set some things for IE. I do lots of other things as well....again, all of them are found in the user side. I then link this GPO to the OU that contains all of the active user account objects.

So, hopefully things are clearing up a bit. You link GPOs to OUs (and to other areas....getting to that in a second) and you *generally* segment things into user-side and into computer-side. Please remember that this is a Big Picture overview with just the basics. As you progress you will find that some of the things that I am saying are not 100% true (that is why I am putting in things like 'you *generally* segment' and 'okay...okay...not 100% true' in here...). You accomplish all of this using the Group Policy Management Console SP1, generally speaking.

Now, if you had an OU that contained both user account objects and computer account objects and you linked my "CLIENT USER GPO" GPO to that OU then only the users would "process" that GPO. Similarly, if you had that same OU and you linked my "CLIENT WS GPO" GPO to that OU then only the computers would "process" that GPO.

How do you know who is processing what?

Well, on the actual client you can use something called gpresult. The will tell you a lot. If you want to do this server-side then you can use the GPMC tool mentioned 100 times in this post.

I mentioned that there are four areas where a GPO can be linked. Those four are - and specifically in this (pecking) order: Local, Site, Domain, OU.

What does that mean? Okay...on each machine if you open up Start | Run and type in gpedit.msc you will access the local Group Policy Manager on that specific machine. Anything that you set in there is specific that particular machine. You can also link things at the Site-level. I might suggest that you avoid this level for the time being. In WIN2000 this was a hit - and - miss thing (but there were ways to help accomplish that) but things are much better in WIN2003 and WIN2008. Still, for the moment stay away from this level. The third man on the totem pole is the domain level. Be careful here as any GPO that you set at this level will affect all users (or all computers). *ALL* is the operative word here. Let's not talk about Security Filtering for the moment. Let's just stick with the defaults (Authenticated Users). So, walk carefully here. The fourth and final level is the OU. This is where you will probably be doing most of your work!

Now, that pecking order is also the answer to "who wins" if you have GPOs linked at different levels that have the same settings set. Another way to think of it is last man standing. The GPOs are processed according to the pecking order I established a moment ago: Local, Site, Domain and OU. So, say that you have a GPO linked at the Domain level that enables the Windows Firewall. Say that you have an OU that contains most of your computer account objects and you have a GPO linked to that OU that disables the Windows Firewall. For all of the computers in that OU the Windows Firewall will be disabled. Because the GPO from the Domain Level is applied to the computers and then the GPO from the OU level is applied to the computers. If there are overlapping settings then the "last man standing" wins and in this case that "last man standing" is the GPO linked at the OU level.

Does this help?





"MIXIT" <MIXIT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2047934B-16D1-4A2C-952F-906830E761A4@xxxxxxxxxxxxxxxx
Thanks both to Meinolf and Ace. I'll process what you're saying and give it
a try. It's clear to me that I don't know much about GPO's at this point
because half of what you said, at first glance, is confusing but it certainly
sounds like standard stuff for experienced people with GPO's - so it doesn't
appear impossible for the likes of me but we'll see :) . I'll give that all
a try and will post back here again soon.

Thanks!

"Ace Fekay [MCT]" wrote:

"MIXIT" <MIXIT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:79112F1F-8DE2-4AD7-8EE2-30E171E18CDC@xxxxxxxxxxxxxxxx
> Hi all,
>
> This is my first post to technet and I just have to ask, what's with > that
> "Select a Discussion Group" droipdown list? Jeez :)
>
> I have a Win2003 Std server as the sole DC in a small network, with XP > Pro
> SP3 and Vista Business clients (mostly SP1, a few SP2's).
>
> In order to set up pcAnywhere correctly I'll need to open ports > 5631:TCP
> and
> 5632:UDP on all the clients.
>
> I believe I've edited the correct GPO but the settings are not going to
> any
> of the systems.
>
> The GPO setup is as follows:
> -Forest: AAAAA.org > -Domains > AAAAA.org > Group Policy Objects > 6 > GPO's
> listed (I'll call them GPO 1 through 4 + the Defaults). The first four
> represent the different main user groups in the company. Not sure if > this
> ideal but I inherited this setup.
>
> 1. GPO1 (Computer Configuration settings Disabled)
> 2. GPO2 (Computer Configuration settings Disabled)
> 3. GPO3 (Enabled)
> 4. GPO4 (Computer Configuration settings Disabled)
> 5. Default Domain Controller Policy (All Settings Disabled)
> 6. Default Domain Policy (All Settings Disabled)
>
> GPO3 would be the groupname that would apply to the systems I'm testing > if
> anything would but I'm not sure where to verify that. If editing this
> GPO,
> in the bottom right under the filtering section where the GPO is > applied
> to
> objects, there is the usergroup this person belongs to, and I've also
> added
> the computer she uses that I'm trying to put this port exception to. I
> remote to her system (with firewall service off so I can get there), > and
> searching the registry shows nothing, even after a gpupdate /force.
>
> I noticed that there are no GPO's Linked to the AAAAA.org domain, > they're
> just listed in the Group Policy Objects collapsable list in the GPMC. > So
> I
> created a link between my testing GPO and the single domain. Still
> nothing
> works.
>
> I don't have a clue what to do next. Can anyone spot what I'm missing?


I agree with Meinolf. DO NOT alter the default GPOs. Create OUs to organize
your users and machines, that means a separate GPO for the office, then
under that, create child OUs for users, computers, servers (except DCs),
laptops, etc.

ALso you do not want to link a firewall GPO to the domain level, otherwise
the DCs will be affected.

Then on the computers and laptop OUs, create a separate GPO for the firewall
settings, and link the GPO to their OUs.

Here are some guidelines for the actual GPO firewall settings. These work
for me. I tried to substitute the settings for your configuration, but you
have to make sure the exe names, paths, etc, are correct for your PCANywhere
installations. Also substitute the actual subnet IDs.

================
Port Exceptions:
example:
port#:Transport:subnet:enabled:Name Of Service
___
5631:TCP:localsubnet,172.23.0.0/16,172.31.0.0/16,172.16.1.0/24,172.22.0.0/16:enabled:PCAnywhere
Data Port (TCP 5631)
5632:UDP:localsubnet,172.23.0.0/16,172.31.0.0/16,172.16.1.0/24,172.22.0.0/16:enabled:PCAnywhere
Status Port (UDP 5632)

Program Exceptions: (substitute the exact path and actual executable name)
___
%programfiles%\symantec\pcanywhere\pcanywhereServerExecutable.exe:*:enabled:PCAnywhere
Server
%programfiles%\symantec\pcanywhere\pcanywhereViewerExecutabe.exe:*:enabled:PCAnywhere
Viewer


Setting State:
___
Windows Firewall: Protect all network connections Enabled
Windows Firewall: Do not allow exceptions Disabled
Windows Firewall: Define program exceptions Enabled
Windows Firewall: Allow local program exceptions Enabled
Windows Firewall: Allow remote administration exception Enabled
Windows Firewall: Allow file and printer sharing exception Enabled
Windows Firewall: Allow ICMP exceptions Enabled
Windows Firewall: Allow Remote Desktop exception Enabled
Windows Firewall: Allow UPnP framework exception Not configured
Windows Firewall: Prohibit notifications Not configured
Windows Firewall: Allow logging Not configured
Windows Firewall: Prohibit unicast response to multicast or broadcast
requests Not configured
Windows Firewall: Define port exceptions Enabled
Windows Firewall: Allow local port exceptions Enabled
==================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.



.

Relevant Pages

  • Re: GPO for Windows Firewall: Port Exceptions not working
    ... You would use a Group Policy Object to accomplish a task (or set ... so how do I link a GPO to an OU? ... I, for example, disable the Windows Firewall. ... GPOs linked at different levels that have the same settings set. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO for Windows Firewall: Port Exceptions not working
    ... To give you a maybe not so brief overview of what Group Policy is (and ... You would use a Group Policy Object to accomplish a task (or set of ... so how do I link a GPO to an OU? ... Domain level that enables the Windows Firewall. ...
    (microsoft.public.windows.group_policy)
  • Re: Active Directory Folders
    ... >> I'm certainly not going to discount a book published by Microsoft ... >> replace the computers and users containers created by default and ... Passowords can only be set in a GPO at the ... Laptops ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO Problems
    ... The computer configuration part belongs to computers and the user configuration part to the user, so depending on the settings you must have the accounts located there. ... If rsop.msc or gpresult /v logged on with a user account doesn't give any output there can be additional problems with GPO applying belomging to DNS confgiruration or slow links between sites. ... Only the password policy an account lockout policy have to bet set on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group policy to apply only to some workstations
    ... Gregg Hill wrote: ... the GPMC and clicked on SBSComputers, and there are no GPOs linked. ... I guess the next question would be "Why do the computers even need ... GPO) settings from applying to select computers? ...
    (microsoft.public.windows.server.sbs)