Re: WXP SP2 Woes
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 08/20/04
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: 64bit system?"
- Previous message: Steventoo: "Re: Shared Inbox.....?"
- In reply to: Steve Kemp: "Re: WXP SP2 Woes"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: WXP SP2 Woes"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 19 Aug 2004 17:15:14 -0700
Download details: Update for Windows Server 2003 (KB842933):
http://www.microsoft.com/downloads/details.aspx?familyid=532a4cd0-f2ce-4fa7-92ab-ac336ad18409&displaylang=en
It's official.
This is the manual instructions
Try this:
Without the special Small Business Server 2003 group policy settings
patch, you can manually update the group policy settings:
1. Install Windows XP SP2 on a computer that is a member of the domain
that contains the computer accounts of the other computers running
Windows XP on which you plan to install Windows XP SP2.
2. Restart the computer and log on to the Windows XP SP2 computer as a
member of the Domain Administrators security group, the Enterprise
Administrators security group, or the Group Policy Creator Owners
security group.
3. From the Windows XP desktop, click Start, click Run, type mmc, and
then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. On the Standalone tab, click Add.
6. In the Available Standalone Snap-ins list, click Group Policy Object
Editor, and then click Add.
7. In the Select Group Policy Object dialog box, click Browse.
In the Browse for a Group Policy Object, click the Group Policy object
that you want to update with the new Windows Firewall settings.
8. Click OK.
9. Click Finish to complete the Group Policy Wizard.
10. In the Add Standalone Snap-in dialog box, click Close.
11. In the Add/Remove Snap-in dialog box, click OK.
In the console tree, open Computer Configuration, Administrative
Templates, Network, Network Connections, and then Windows Firewall.
Repeat this procedure for every Group Policy object that is being used
to apply Group Policy to computers that will have Windows XP SP2 installed.
Steve Kemp wrote:
> OK, it seems that I am not being clear enough.... :-)
>
> I can find the appropriate GP key to define the firewall settings, most of
> the setting are there (allow exceptions etc), however the specific ones you
> you mention below "Windows Firewall: Define Program Exceptions" and "Windows
> Firewall: Define Port Exceptions" are missing!
>
> So my original question remains, is this due to the GPEDIT.MSC bug (strings
> too long, therefore I must have the "not ready for release" hotfix to
> resolve it), or is it another issue? I can deal with the strings being too
> long (as it is only an annoyance) and would rather wait for this hotfix to
> become official and tested before installing it. However if applying it is
> the only way to repair my missing GP settings, then I will call to recieve
> this hotfix before it's official release.
>
> This was my original question, I always knew how to add the program and port
> exceptions through GP (or at least I read how), the mechanism in the GP tool
> is what has been missing. How do I repair this? Is the problem repaired by
> the numerously mentioned, but not ready for official release, hotfix?
>
> Maybe you are both trying to tell me that the hotfix will repair my missing
> settings, but that isn't very clear :-)
>
> Cheers,
>
> Steve K.
>
>
> "Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
> wrote in message news:uBzeKzjhEHA.3992@TK2MSFTNGP11.phx.gbl...
>
>>Hi Steve. As Susan has mentioned call MS Support and ask them for the
>>Hotfix to resolve your error regarding the strings section being too long.
>>The patch is available for free but not publicly, only if you call.
>>
>>In terms of the Symantec AV Exceptions as you know you will have to add
>>the exceptions. This is possible by GP, and you should be able to see the
>>GP settings to do this. They are located in
>>
>>Computer Configuration
>> Administrator Templates
>> Network
>> Network Connections
>> Windows Firewall
>> Domain Profile
>>
>>
>>Just in case you haven't worked through the Symantec Documents yet, the
>>entries you will need to allow remote client deployment, remote
>>configuration of clients using Symantec System Centre, and the ability for
>>updates to be pushed to the clients are listed below (I run Symantec Corp
>>Edtn 9.0):
>>
>>
>>Windows Firewall: Define Program Exceptions -
>>
>>%Program Files%\Symantec AntiVirus\Rtvscan.exe:[serverIP]:enabled:Symantec
>>Client Security Rtvscan
>>
>>%Program
>>Files%\Symantec\LiveUpdate\LuComServer.exe:[serverIP]:enabled:Symantec
>>Client Security LuComServer
>>
>>
>>Windows Firewall: Define Port Exceptions
>>
>>2967:UDP:[serverIP]:enabled:Symatec System Centre Control
>>(The symantec documets have an error and actually state TCP which is
>>wrong.)
>>
>>
>>The only thing which I find irritating with the new GP options is that it
>>isn't possible to edit any of the above once you create them. If you make
>>a typo it has to be deleted and recreated. I'm not sure whether the
>>Strings Section too long patch is related to this, forgot to call and get
>>it this morning :)
>>
>>--
>>Hth,
>>Stuart Mackie [MCP, MSP]
>>www.stu.uk.com
>>
>>
>>
>>"Steve Kemp" <SPAM_kempsl1154_SPAM@hotmail.com> wrote in message
>>news:eu2ny1ihEHA.2620@TK2MSFTNGP10.phx.gbl...
>>
>>>See below
>>>
>>>"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
>>>wrote in message news:uQ2MzbihEHA.4092@TK2MSFTNGP10.phx.gbl...
>>>
>>>>1. Get the hotfix and that will do the trick
>>>>
>>>>842933 - "The following entry in the [strings] section is too long and
>>>>has been truncated" error message when you try to modify or to view GPOs
>>>>in Windows Server 2003, Windows XP Professional, or Windows 2000:
>>>>http://support.microsoft.com/default.aspx?scid=kb;en-us;842933
>>>>
>>>>It will be out on the download site pretty soon and yes, it's been
>>>>tested.
>>>
>>>I can wait for the final hot fix if this is not related to my #2 issue...
>>>
>>>
>>>>2. This is expected firewall behavior. If you have a console based A/V
>>>>that has to have listen ports you will need to do this. They can't
>>>>write a comprehensive all covering all knowing white paper.. this is why
>>>>we're here.
>>>>
>>>>You have to either add the strings. They aren't going to do this for
>>>>you. It's not going to be build into the group policy as Symantec uses
>>>>one set, trend uses another listening port, Etrust another and so on.
>>>>They'd have so many blasted holes poked it would be swiss cheese.
>>>>
>>>>Don't wait until this is "resolved", you have to resolve it.
>>>
>>>Add the strings? The GP tool does not have an entries for "Windows
>>>Firewall: Define program exceptions" or Windows Firewall: Define port
>>>exceptions". I could define these for the AV client if these were
>>>present, but they are missing for some reason. OR do you mean there is
>>>some way to add these missing settings (they are fully described in the
>>>white paper and they also exist on the WinXPSP2 local GP tool... but
>>>missing on my server)?
>>>
>>>I'd love to resolve it, and I have the documentation to resolve it, but
>>>it would seem that I have a malfunctioning GPEDIT.MSC or system.adm
>>>template file on my SBS2003.
>>>
>>>
>>>
>>>>
>>>>Steve Kemp wrote:
>>>>
>>>>
>>>>>I am testing WXP SP2 on my SBS2003 network... I have also installed the
>>>>>SBS2K3 hotfix for WinXPSP2 clients (KB 872769), this hotfix essentially
>>>>>adds GP settings for the WXP client firewall. I have also read the
>>>>>Deployment whitepaper for XP SP2 (KB 872769).
>>>>>
>>>>>Problems:
>>>>>
>>>>>1. The GPEDIT.MSC complains about numerous strings being too long (a
>>>>>result of the SBS hotfix).
>>>>>2. The Windows Firewall GP settings is missing a number of entries
>>>>>described in the above whitepaper. Specifically I want to enable
>>>>>Symantec AntiVirus Corporate Edition clients (through GP settings) to
>>>>>communicate properly with my Symantec Antivirus server, which pushes
>>>>>settings, virus definition updates etc. to the clients - Done through
>>>>>the "Windows Firewall: Define program exceptions" setting.
>>>>>
>>>>>The MS knowledge base acknowledges the 1st problem (did they test the
>>>>>hotfix? KB 842933), but not the second. Does anyone know if the two are
>>>>>related? Has anyone else experience #2? Or is MS have their
>>>>>documentation writers ahead of their developers? Is their a place I can
>>>>>download a "system.adm" file that has the missing settting? I don't
>>>>>relish the idea of having to run around manually setting firewall
>>>>>settings, then also trying to remember to do the same everytime we add
>>>>>a new system to the network. I will not roll out SP2 until issue #2 is
>>>>>resolved.
>>>>>
>>>>>Cheers,
>>>>>
>>>>>Steve K.
>>>>
>>>>--
>>>>http://www.sbslinks.com/really.htm
>>>>
>>>
>>>
>>
>
>
-- http://www.sbslinks.com/really.htm
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: 64bit system?"
- Previous message: Steventoo: "Re: Shared Inbox.....?"
- In reply to: Steve Kemp: "Re: WXP SP2 Woes"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: WXP SP2 Woes"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
