Guest Usenet Posted April 5, 2008 Posted April 5, 2008 I have the following GPO applied to an OU containing our workstations: Computer Configuration (Enabled)hide Policieshide Windows Settingshide Security Settingshide Windows Firewall with Advanced Securityhide Global Settingshide Policy Setting Policy version Not Configured Disable stateful FTP Not Configured Disable stateful PPTP Not Configured IPsec exempt Not Configured IPsec through NAT Not Configured Preshared key encoding Not Configured SA idle time Not Configured Strong CRL check Not Configured Domain Profile Settingshide Policy Setting Firewall state Off Inbound connections Not Configured Outbound connections Not Configured Apply local firewall rules Not Configured Apply local connection security rules Not Configured Display notifications Not Configured Allow unicast responses Not Configured Log dropped packets Not Configured Log successful connections Not Configured Log file path Not Configured Log file maximum size (KB) Not Configured Connection Security Settingshide Administrative Templateshide Policy definitions (ADMX files) retrieved from the local machine.Network/Network Connections/Windows Firewall/Domain Profilehide Policy Setting Comment Windows Firewall: Protect all network connections Disabled Network/Network Connections/Windows Firewall/Standard Profilehide Policy Setting Comment Windows Firewall: Protect all network connections Enabled System/Logonhide Policy Setting Comment Always wait for the network at computer startup and logon Enabled User Configuration (Enabled)hide No settings defined. What we're seeing is that on many workstations the XP firewall remains on when they are booted up on the domain, until you run "gpupdate /force" at which point the firewall switches off. If you run "gpresult" before running the gpupdate /force Windows shows the GPO as being applied. Does anyone have any suggestions please? We have what I would consider to be a normal, flat network, single subnet with a 2003 R2 DHCP server i.e. nothing unusual to my mind. Thanks in advance.
Guest Meinolf Weber Posted April 5, 2008 Posted April 5, 2008 Re: XP Firewall GPO not applying at startup Hello usenet, Check out this one: Computer Configuration - Administrative Templates - Network - Network Connections - Prohibit use of Internet Connection Firewall on your DNS domain Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > I have the following GPO applied to an OU containing our workstations: > > Computer Configuration (Enabled)hide > Policieshide > Windows Settingshide > Security Settingshide > Windows Firewall with Advanced Securityhide > Global Settingshide > Policy Setting > Policy version Not Configured > Disable stateful FTP Not Configured > Disable stateful PPTP Not Configured > IPsec exempt Not Configured > IPsec through NAT Not Configured > Preshared key encoding Not Configured > SA idle time Not Configured > Strong CRL check Not Configured > Domain Profile Settingshide > Policy Setting > Firewall state Off > Inbound connections Not Configured > Outbound connections Not Configured > Apply local firewall rules Not Configured > Apply local connection security rules Not Configured > Display notifications Not Configured > Allow unicast responses Not Configured > Log dropped packets Not Configured > Log successful connections Not Configured > Log file path Not Configured > Log file maximum size (KB) Not Configured > Connection Security Settingshide > Administrative Templateshide > Policy definitions (ADMX files) retrieved from the local > machine.Network/Network Connections/Windows Firewall/Domain > Profilehide > Policy Setting Comment > Windows Firewall: Protect all network connections Disabled > Network/Network Connections/Windows Firewall/Standard Profilehide > Policy Setting Comment > Windows Firewall: Protect all network connections Enabled > System/Logonhide > Policy Setting Comment > Always wait for the network at computer startup and logon Enabled > User Configuration (Enabled)hide > No settings defined. > What we're seeing is that on many workstations the XP firewall remains > on when they are booted up on the domain, until you run "gpupdate > /force" at which point the firewall switches off. > > If you run "gpresult" before running the gpupdate /force Windows shows > the GPO as being applied. > > Does anyone have any suggestions please? > > We have what I would consider to be a normal, flat network, single > subnet with a 2003 R2 DHCP server i.e. nothing unusual to my mind. > > Thanks in advance. >
Guest Bruce Sanderson Posted April 7, 2008 Posted April 7, 2008 Re: XP Firewall GPO not applying at startup Windows XP does not have the "Windows Firewall with Advanced Security. Most of the settings in Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security settings will be ignored by Windows XP SP2 computers. The settings in Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall are for managing the firewall on Windows XP SP2 computers. Whether the "Domain" or "Standard" "Profile" will be applied depends on some DNS settings - this is explained in the article at http://technet.microsoft.com/en-ca/library/bb878049.aspx. The experience we had with this when we initially configured the XP Firewall via GPO is that the XP workstations did not initially correctly determine whether they were connected to the "managed" (Domain) network or not and selected the "Standard Profile" even when connected to the office (managed) network. However, after several restarts, they made the correct determination and the "Domain Profile" was correctly applied when they were actually connected to the in office network and the "Standard Profile" when they were not (e.g. laptops in use out of the office). Unfortunately, we were never able to determine exactly what was causing the incorrect firewall selection, but the problem went away by itself after the computers were restarted several times. The command netsh firewall show currentprofile reports whether the "Domain" or "Standard" profile is in use. -- Bruce Sanderson http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "Usenet" <usenet@nospam.please> wrote in message news:usenet-35656D.19134905042008@softbank060082049208.bbtec.net... >I have the following GPO applied to an OU containing our workstations: > > Computer Configuration (Enabled)hide > Policieshide > Windows Settingshide > Security Settingshide > Windows Firewall with Advanced Securityhide > Global Settingshide > Policy Setting > Policy version Not Configured > Disable stateful FTP Not Configured > Disable stateful PPTP Not Configured > IPsec exempt Not Configured > IPsec through NAT Not Configured > Preshared key encoding Not Configured > SA idle time Not Configured > Strong CRL check Not Configured > > Domain Profile Settingshide > Policy Setting > Firewall state Off > Inbound connections Not Configured > Outbound connections Not Configured > Apply local firewall rules Not Configured > Apply local connection security rules Not Configured > Display notifications Not Configured > Allow unicast responses Not Configured > Log dropped packets Not Configured > Log successful connections Not Configured > Log file path Not Configured > Log file maximum size (KB) Not Configured > > Connection Security Settingshide > Administrative Templateshide > Policy definitions (ADMX files) retrieved from the local > machine.Network/Network Connections/Windows Firewall/Domain Profilehide > Policy Setting Comment > Windows Firewall: Protect all network connections Disabled > > Network/Network Connections/Windows Firewall/Standard Profilehide > Policy Setting Comment > Windows Firewall: Protect all network connections Enabled > > System/Logonhide > Policy Setting Comment > Always wait for the network at computer startup and logon Enabled > > User Configuration (Enabled)hide > No settings defined. > > > What we're seeing is that on many workstations the XP firewall remains > on when they are booted up on the domain, until you run "gpupdate > /force" at which point the firewall switches off. > > If you run "gpresult" before running the gpupdate /force Windows shows > the GPO as being applied. > > Does anyone have any suggestions please? > > We have what I would consider to be a normal, flat network, single > subnet with a 2003 R2 DHCP server i.e. nothing unusual to my mind. > > Thanks in advance.
Recommended Posts