RE: group policy

From: Patrick Burwell <PatrickBurwell@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 May 2006 19:02:01 -0700

HOLD THE PHONE!
Windows firewall seettings should NOT be propagating to any servers. Domiona
COntrollers and server OUs should be set to not allow inheritance. ONLY use
manually linked GPOs for servers.
Unless you LIKE nested GPO settings :)
I should tell you of some nightmares I had last year with such issues. HAh!

K.I.S.S. is the best policy and makes life SO much easier.
--
Patrick Burwell
Nework Engineer

"Marcus K" wrote:

Steven,
Ok! thank you for the response. It wasnt exactly the solution, but it did
point me in the right direction.
Based on what you said about the settings having to be under the domain
profile section, i re did a RSOP to see which policy was winning for the two
particular settings. Turns out the domain policy was winning for 'enable file
and printer sharing' and Server 2003 windows firewall was winning for 'remote
desktop' exception. When i went into the detail settings they were set as
enabled and exception set to 'Localsubnet' for the file and printer sharing
and 'subnet' for the remote desktop. So i disabled the settings under the
domain and server firewall policies which allowed the windows firewall policy
to take precedence and it worked.!
cheers.
Guess i wont be changing any settings on the default server gpo's after
this. I am going to ensure they are set to default and i can change the
settings on any new policies i implement.

--
Thanks
Marcus K
Bus Mgr
Alcohol & Drug Foundation
"helping U choose a better life"

"Steven Zhu [MSFT]" wrote:

Hi Marcus,

Thanks for taking time to respond.

Actually, after a Group Policy object has been updated, it can be
configured for Windows Firewall settings that are appropriate for Windows
Firewall and the use of management, server, listener, or peer applications
and services that are being run on your computers running Windows XP with
SP2.

Based on my knowledge, the issue is somewhat wired because usually the
"Windows Firewall" settings should work properly in Group Policy. So before
we go any further, I'd like you to double-check whether you have correct
configuration in Group Policy:

1. Open Group Policy Object Editor -> Computer Configuration ->
Administrative Template -> Network -> Network Connections -> Windows
Firewall -> Domain Profile.

- The domain profile settings that are used by the computers when they are
connected to a network that contains domain controllers for the domain of
which the computer is a member.
- The standard profile settings that are used by the computers when they
are connected to a network that does not contain domain controllers for the
domain of which the computer is a member.

2. Windows Firewall: Allow file and print sharing exception --- Enable, and
type "*" in "Allow unsolicited incoming message from" box.

3. Windows Firewall: Allow Remote Desktop exception --- Enable, and type
"*" in "Allow unsolicited incoming message from" box.

4. Run gpupdate.exe /force command on Domain Controller.

Please let me know whether the issue persists after you finished the above
steps. I am looking forward to your reply.

Have a good day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

Prev by Date: Re: Can't receive mail
Next by Date: Re: 2 SBS Servers on same Physical Network.
Previous by thread: Re: Software Assurance Licence
Next by thread: Server Error - need help to fix ASAP
Index(es):
- Date
- Thread

Relevant Pages

Re: GPO Update Problem (SYSVOL access via UNC)
... >> Server Security and Auditing Policy ... >> The settings in this GPO can only apply to the following groups, users, ... >> Windows Firewall: Allow file and printer sharing exception Enabled ...
(microsoft.public.win2000.group_policy)
Re: Userenv Event ID 1054
... Did you add the slow link item to you policy or make another GPO ... To disable slow link detection on the SBS Server, ... please refer to the following settings to modify the ...
(microsoft.public.windows.server.sbs)
Re: W32 time problem on SBS2003 Premium
... That other server isn't really so odd. ... then group policy isn't being applied and your manual settings will be used. ... >> have settings for Enable NTP Client, Configure NTP Client, and Enable NTP ...
(microsoft.public.windows.server.sbs)
Re: Inherited security properties
... group policy set on the organizational until that your server is in. ... settings at the local policy level. ... > When I look at the local security policy on the Windows ...
(microsoft.public.win2000.security)
RE: Please help - with the portal server
... LAN settings - i was wondering may be - sps uses certain ports to communicate ... with the server over the internet. ... microsoft.sharepoint.portal.dll security permission grant set is incompatible ... Use Group Policy to Add the Sites ...
(microsoft.public.sharepoint.portalserver)