1

I want to force the in-house machines here to have their firewall disabled so I can manipulate them with scripts. Trying to do it with GPO, but it doesn't result in a disabled and greyed out firewall setting panel like I'd expect. Apparently I'm doing something wrong.

Here's what I've done:

  1. Created an OU to park the computer objects in. Moved a test box in there.
  2. Created a new Group Policy object, named "Firewall_Off"
  3. Select the newly created group policy.
  4. Right-click on the newly created policy and select Edit.
  5. Expand the Computer Configuration folder, then the Administrative Templates folder.
  6. Expand the Network folder, then the Network Connections folder, then the Windows Firewall folder.
  7. Select the Standard Profile folder.
  8. Double-click the Windows Firewall: Protect all network connections option.
  9. Select Disabled, then click OK.
  10. Select the Domain Profile folder.
  11. Double-click the Windows Firewall: Protect all network connections option.
  12. Select Disabled, then click OK.
  13. Close the Group Policy dialog box.

I assume that this should then apply the group policy of "protect all network connections = Disable" to any computer object inside that OU. I've done this before for audit policies with success.

Rebooted the test machine. Firewall control panel remains user managed. Ran gpupdate repeatedly. Rebooted repeatedly. No change.

Clue?

Aszurom
  • 453
  • 2
  • 8
  • 19

4 Answers4

2

Have you run Resultant Set of Policy tool? At a command prompt or in Run, enter RSOP.msc You will see if there is another polity that turns this back on and overrides the policy you are trying to apply. Tjis can be a bit tricky but the tool really helps. Thre is a command line tool as well that is discussed here GPresults

Dave M
  • 4,494
  • 21
  • 30
  • 30
  • Both of you guys had a piece of it. I'm giving you the checkmark for cluing me into the tool that I didn't know about. Very nice. – Aszurom Jan 13 '10 at 21:41
2

If you need to disable it completely, an easy way to do it is disable the Windows Firewall Service from Windows Services via GPO. You can set it in:

Computer Configuration -> Windows Settings -> System Services -> Windows Firewall/ICS

set it as disabled (or manual if you prefer)

Ecio
  • 121
  • 3
1

Three things:

  1. After you created the policy did you close the policy editor? GPOs don't save until you close the editor
  2. Did you right click the policy in GPMC and select enforced?
  3. Have you checked the event logs for policy errors?
Zypher
  • 36,995
  • 5
  • 52
  • 95
0

You can use the policy found at:

Computer Configuration, Administrative Templates, Network, Network Connections, Prohibit use of Internet Connection Firewall on your DNS domain

Set it to enabled and the firewall won't run when connected to your network. According to the explanation this was superceded in SP2 by Windows Firewall, but all I can say is that it works for me!

hmallett
  • 2,425
  • 14
  • 26