Omitting servers from control of Windows Firewall in default domain policy


  • In our default domain policy we have enabled Windows Firewall and force the use of the firewall on Private and Public networks. This works great for client control. We want to override this policy for servers such that we can choose to enable or disable the firewall for those networks and created a "Server Exclusion" GPO that's linked to the OU where the servers are assigned. In that we tried overriding the Private and Public profile settings either by setting the state to "Not Configured" or explicitly Off, but after making those changes and updating group policy on the servers they still have the firewall listed as engaged on both networks. The gpresults report also shows that the Default Domain Policy values were applied here and not the OU specific server exclusion GPO.

    What I really want to use for Public and Private networks is "Not Configured" as I would like the option to turn the firewall on or off selectively on different servers, but how can I even get this OU specific GPO to override the 'On' settings in the Domain Default policy GPO?

    Friday, March 23, 2012 8:19 PM


All replies

  • Hello,

    Try to prevent conflicting settings.
    There are a few possible solutions:

    1. Create two new GPOs
    first one: firewall-clients
    second one: firewall-servers

    Now you put in all your servers in a security group.
    You use this group for filtering.
    You can deny access for this group on the first policy and grant access to this group in the second one.

    2. Create one new policy: firewall-clients

    Exlude all servers by using a WMI Filter:

    SELECT * FROM Win32_OperatingSystem WHERE Version > "6" AND ProductType LIKE "1"

    (untested example)

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Friday, March 23, 2012 9:48 PM
  • Thanks Matthias, good suggestions for solutions. I assumed GPO precedence would rule here, but it seems the "not configured" status of an attribute cannot override a configured value. Is that true?
    Friday, March 23, 2012 10:18 PM
  •  Hi B G R,

    There is not "best practice" to modify the Default Domain Policy (only for password settings). I would suggest to create a new GPO named "Set firewall connection" and create and use the following WMI filter :

    Select * from Win32_OperatingSystem WHERE ProductType="1" to apply the GPO ONLY to workstations.

    See here : and here:

    " Never panic before reboot ! "

    • Edited by Voldar Saturday, March 24, 2012 1:20 PM
    • Proposed as answer by Liam Holmes Saturday, March 24, 2012 5:11 PM
    • Marked as answer by Elytis ChengModerator Tuesday, April 03, 2012 8:56 AM
    Saturday, March 24, 2012 1:14 PM
  • As everyone elses has said i would not modify the default policy apart from for passwords, then i would structure the rest and apply per OU

    Saturday, March 24, 2012 5:17 PM
    > but it seems the "not configured" status of an attribute cannot
    > override a configured value. Is that true?
    Yes, that's true. Once a policy setting is configured (either "enabled"
    or "disabled"), you cannot set it back to "not configured" on subsequent
    GPOs or OUs.
    sincerely, Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, March 27, 2012 5:48 AM