none
Local Security Policies overriding Domain Policy - Firewall

    Question

  • Hi, we appear to be having conflicts between local security policies and domain group policies regarding workstation firewalls.  Our desire is for the workstation firewall state to be "Off".  The domain group policy settings on all profiles are for Firewall State = Off, and Apply local firewall rules = No.  Frequently however, we find systems with their firewalls running, most commonly after they have been restarted.  Sometimes a gpupdate will correct firewall settings; in some cases, we've found that connections to domain controllers are blocked (RPC server unavailable).

    At this point, we believe we have ruled out firewall updates coming from either our AV or VPN clients. All PCs have been imaged through MDT. Short of logging into individual workstations and clearing our local security policy settings, how can we ensure that firewall settings are enforced by domain group policy?

    Thanks,

    Chris

    Tuesday, May 24, 2016 3:47 PM

All replies

  • Hi Chris,

    To apply domain group policy, you need resolve the problem that your computer cannot connect to domain controller.

    The RPC server unavailable may be caused by the following causes

    1. Errors resolving a DNS or NetBIOS name.
    2. The RPC service or related services may not be running.
    3. number of connectivity Problems with network connectivity.
    4. File and printer sharing is not enabled.

    To fix the problem, you could try to perform those actions which is descripted by the article below.

    Windows Server Troubleshooting: "The RPC server is unavailable"

    http://social.technet.microsoft.com/wiki/contents/articles/4494.windows-server-troubleshooting-the-rpc-server-is-unavailable.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 25, 2016 3:32 AM
    Moderator
  • Hi Jay,

    I'm aware of the RPC server troubleshooting steps.  In instances where this error crops up, it is because there was no firewall rule allowing RPC traffic.  However, this is not always the case; sometimes running a

    gpupdate /force

    will reset the firewall to its correct "off" setting. I'm more concerned with why the firewall gets turned on in the first place when Group Policy is supposed to override local settings.

    Thanks,

    Chris

    Thursday, June 02, 2016 7:26 PM
  • You could try this:

    http://gpsearch.azurewebsites.net/#318


    Rolf Lidvall, Swedish Radio (Ltd)

    Friday, June 03, 2016 2:25 PM
  • Hi Rolf,

    Thanks, I wasn't aware of this policy option.  We're testing it now and so far, so good.

    Friday, June 10, 2016 12:33 PM
  • No problem, only glad to help :-)

    Rolf Lidvall, Swedish Radio (Ltd)

    Friday, June 10, 2016 12:37 PM
  • Reopening this issue.  Despite implementing the suggested group policy changes, multiple systems have had their firewalls reenabled.  It appears that this is happening after systems reboot.  Event Viewer indicates that group policy processing is completing successfully, even though the Default Domain Policy specifically sets the Firewall in all profiles to "off".  A gpresult does not indicate that any policies are being denied.  Running a manual gpupdate /force appears to correctly reset the firewall.  

    Any other suggestions?  If nothing else, is there any way to find out what process or application is enabling the firewall?

    Monday, June 20, 2016 5:27 PM