Problem with client behavior after removing domain firewall policy ed[ at ]swindelles.us 07.06.2007 19:42:02 I have an XP SP2 client that was within an OU which had firewall policies defined. Those policies enabled the firewall with a list of allowed applications and ports. Now, I've moved this client to an OU which has the firewall settings set to Not Configured. I also manually deleted all exeptions from the list and confirmed that the registry defines no AlowedApplications. I did all of this because I wanted the user that uses this computer to have to reanswer all of the "Keep Blocking" prompts so that I can create a new GPO of firewall settings, updating the old one created by a predecessor. However, even after the GPO is applied to this machine the old firewall settings still are in effect. I've read the Cable Guy article about how firewall profiles (Domain vs. Standard) are selected. This machine has a static IP with a manually entered DNS suffix. So, after the article I figured that because the GPO connection matched my DNS suffix, it still applied domain policies. To confirm this, I issued the netsh firewall show state command, resulting in this: Profile = Domain Operational mode = Enable Exception mode = Enable Multicast/broadcast response mode = Enable Notification mode = Enable Group policy version = None Remote admin mode = Disable So, the machine is still using the domain profile but theoretically not using any settings because of the None setting in GP version. However, while using the computer with an administrator account, I still received no prompts to approve/deny applications. I specifically ran applications that were explicitly defined as allowed in the policy of the other OU. And the programs always ran and always connected to the Internet, even though no exceptions are defined. So, next I removed the DNS suffix and forced a GP update. The profile switched the Standard, but the same behavior remains. The firewall is enabled, with exceptions enabled, but no exceptions defined, yet any application that runs has complete Internet access, just as if it was still using the old domain policy it was assigned. The firewall log shows all sorts of IP's and ports being allowed. Just for kicks I disjoined the computer from the domain and rejoined, but that didn't help either. Any ideas?

Re: Problem with client behavior after removing domain firewall policy "Steven L Umbach" <n9rou[ at ]n0-spam-for-me-comcast.net> 09.06.2007 04:15:21 Not sure exactly what is going on here but if you have not done so yet go to the advanced page for the firewall and select restore defaults. Also run gpedit.msc on that computer to see what it shows as the GPO that is enforcing the firewall settings on that computer to see if it is what you expect. Possibly even though you moved it to a different OU another GPO with firewall settings defined in the "path" has do not override/enforce enabled. Steve <ed[ at ]swindelles.us> wrote in message news:1181245322.770703.169430[ at ]p47g2000hsd.googlegroups.com... [Quoted Text] >I have an XP SP2 client that was within an OU which had firewall > policies defined. Those policies enabled the firewall with a list of > allowed applications and ports. Now, I've moved this client to an OU > which has the firewall settings set to Not Configured. I also > manually deleted all exeptions from the list and confirmed that the > registry defines no AlowedApplications. I did all of this because I > wanted the user that uses this computer to have to reanswer all of the > "Keep Blocking" prompts so that I can create a new GPO of firewall > settings, updating the old one created by a predecessor. However, > even after the GPO is applied to this machine the old firewall > settings still are in effect. > > I've read the Cable Guy article about how firewall profiles (Domain > vs. Standard) are selected. This machine has a static IP with a > manually entered DNS suffix. So, after the article I figured that > because the GPO connection matched my DNS suffix, it still applied > domain policies. To confirm this, I issued the netsh firewall show > state command, resulting in this: > > Profile = Domain > Operational mode = Enable > Exception mode = Enable > Multicast/broadcast response mode = Enable > Notification mode = Enable > Group policy version = None > Remote admin mode = Disable > > So, the machine is still using the domain profile but theoretically > not using any settings because of the None setting in GP version. > However, while using the computer with an administrator account, I > still received no prompts to approve/deny applications. I > specifically ran applications that were explicitly defined as allowed > in the policy of the other OU. And the programs always ran and always > connected to the Internet, even though no exceptions are defined. > > So, next I removed the DNS suffix and forced a GP update. The profile > switched the Standard, but the same behavior remains. The firewall is > enabled, with exceptions enabled, but no exceptions defined, yet any > application that runs has complete Internet access, just as if it was > still using the old domain policy it was assigned. The firewall log > shows all sorts of IP's and ports being allowed. Just for kicks I > disjoined the computer from the domain and rejoined, but that didn't > help either. > > Any ideas? >