none
Windows Firewall Domain Policy applied but can edit using GPedit.msc

    Question

  • I created a group policy for windows firewall for Windows Server 2012, now if I open windows firewall from server manager on the machine where the group policy is applied it shows me the correct settings & says Windows firewall is managed via Group policy. Hence I can't edit coz of the same.

    But then if I run rsop.msc it doesn't show me Windows Firewall in the result.

    Also if I run gpedit.msc and go to windows firewall, I can edit the public, private & domain firewall state in there which ideally should be locked but the funny part is whatever changes I make in gpedit.msc they are not reflecting in the firewall console opened from server manager.

    Any idea what's happening ?

    Monday, January 12, 2015 7:24 PM

Answers

  • > But then if I run rsop.msc it doesn't show me Windows Firewall in the
    > result.
     
    rsop.msc is deprecated because it does not know about new GPO settings
    introduced with Vista... Run gpresult /h report.html instead.
     
    > Also if I run gpedit.msc and go to windows firewall, I can edit the
    > public, private & domain firewall state in there which ideally should be
    > locked but the funny part is whatever changes I make in gpedit.msc they
    > are not reflecting in the firewall console opened from server manager.
     
    This is how GPO precedence works. Local policy (gpedit.msc) gets
    overwritten with domain policy.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, January 13, 2015 10:13 AM

All replies

  • You need to configure firewall states and set "Apply local firewall rules" to "No" in your AD GPO.

    Gleb.

    Tuesday, January 13, 2015 8:52 AM
  • > But then if I run rsop.msc it doesn't show me Windows Firewall in the
    > result.
     
    rsop.msc is deprecated because it does not know about new GPO settings
    introduced with Vista... Run gpresult /h report.html instead.
     
    > Also if I run gpedit.msc and go to windows firewall, I can edit the
    > public, private & domain firewall state in there which ideally should be
    > locked but the funny part is whatever changes I make in gpedit.msc they
    > are not reflecting in the firewall console opened from server manager.
     
    This is how GPO precedence works. Local policy (gpedit.msc) gets
    overwritten with domain policy.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, January 13, 2015 10:13 AM