Friday, March 23, 2012 8:19 PM
In our default domain policy we have enabled Windows Firewall and force the use of the firewall on Private and Public networks. This works great for client control. We want to override this policy for servers such that we can choose to enable or disable the firewall for those networks and created a "Server Exclusion" GPO that's linked to the OU where the servers are assigned. In that we tried overriding the Private and Public profile settings either by setting the state to "Not Configured" or explicitly Off, but after making those changes and updating group policy on the servers they still have the firewall listed as engaged on both networks. The gpresults report also shows that the Default Domain Policy values were applied here and not the OU specific server exclusion GPO.
What I really want to use for Public and Private networks is "Not Configured" as I would like the option to turn the firewall on or off selectively on different servers, but how can I even get this OU specific GPO to override the 'On' settings in the Domain Default policy GPO?
Friday, March 23, 2012 9:48 PM
Try to prevent conflicting settings.
There are a few possible solutions:
1. Create two new GPOs
first one: firewall-clients
second one: firewall-servers
Now you put in all your servers in a security group.
You use this group for filtering.
You can deny access for this group on the first policy and grant access to this group in the second one.
2. Create one new policy: firewall-clients
Exlude all servers by using a WMI Filter:
SELECT * FROM Win32_OperatingSystem WHERE Version > "6" AND ProductType LIKE "1"
MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!
Friday, March 23, 2012 10:18 PMThanks Matthias, good suggestions for solutions. I assumed GPO precedence would rule here, but it seems the "not configured" status of an attribute cannot override a configured value. Is that true?
Saturday, March 24, 2012 1:14 PM
Hi B G R,
There is not "best practice" to modify the Default Domain Policy (only for password settings). I would suggest to create a new GPO named "Set firewall connection" and create and use the following WMI filter :
Select * from Win32_OperatingSystem WHERE ProductType="1" to apply the GPO ONLY to workstations.
" Never panic before reboot ! "
Saturday, March 24, 2012 5:17 PM
As everyone elses has said i would not modify the default policy apart from for passwords, then i would structure the rest and apply per OU
Tuesday, March 27, 2012 5:48 AM> but it seems the "not configured" status of an attribute cannot> override a configured value. Is that true?Yes, that's true. Once a policy setting is configured (either "enabled"or "disabled"), you cannot set it back to "not configured" on subsequentGPOs or OUs.sincerely, Martin
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!