[gptalk] Re: Group Policy and Vista Firewall

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 13 Sep 2007 11:49:31 -0700



By any chance does the workstation antivirus software have any
interaction with the firewall?  If so I would try the policy on a clean
Vista machine with AV just to  get a controlled test to isolate the
policy versus the desktop configuration


Every other policy is getting applied fine to the Vista workstations?





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Williams
Sent: Thursday, September 13, 2007 11:37 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy and Vista Firewall


Looks like, even after recreating the policy on a Vista machine, still
causes a problem. Its weird. I disable the Firewall policy, I can start
the firewall on Vista. I enable it, it throws an errors.

My next step would be to apply a WMI filter so the policy is only
applied to XP machines (probably not a bad idea anyway).


So just use:


SELECT * from Win32_OperatingSystem WHERE Caption LIKE "%Microsoft
Windows XP%"


Should do the trick, correct?





On 9/11/07, Delaney, Doug <doug.delaney@xxxxxxx> wrote: 

For the WMI portion, I certainly prefer the Like "% Windows XP%" method
since professional is spelled differently in some languages.


working examples.

SELECT * from Win32_OperatingSystem WHERE Caption LIKE "Microsoft
Windows XP%"

SELECT * from Win32_OperatingSystem WHERE Caption LIKE "%Windows Vista%"


Doug Delaney
EDS - Integration Engineering-GM 
GM Desktop Engineering
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326 
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  
Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.




        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:
gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ] On
Behalf Of Jason Williams
        Sent: Tuesday, September 11, 2007 5:10 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Group Policy and Vista Firewall

        Hi Omar,


        The problems we are having is that we can not start the Vista
Firewall. Just fails. yet, if we take a computer out of the domain,
firewall starts up. My conclusion is that the GPO was causing the issue.


        Basically, i've been working to try and clear up the GPO's here
and make them more efficient. Right now, they hvae the GPO's to allow
RDP access to XP machines as well as a few other exceptions to access
the machines. It does not really sit well with me that it is a "broad"
brush stroke at the domain level with this policy. 


        I'll recreating the policy on a Vista machine, see if that does


        for the WMI portion, I can actually specifiy "Microsoft Windows
XP Professional?"
        After I posted my thread, I thought, "It would be better if I
specifically indicated a OS. More specific.



        On 9/11/07, Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx > wrote: 

        Well 1st- what issues are you having with the GPO and Vista?


        2nd- What exactly are you doing in your FW policy? Just curious
since it applying to all workstations and servers on your network


        3rd- If placing the FW GPO is correct at the domain level, log
on to the Vista machine, open GPMC and create the a new policy with the
same settings and replace the existing one. 


        Policies created on Vista workstations will be backward
compatible as far as functionality goes- but you should not administer
those policies using GP editor or GPMC from any other operating system
except vista and Windows Server 2008. 

        Creating the GPO on Vista may help resolve any compatibility
issues you are having on the vista workstations- and it should continue
to work on the XP machines as you have in place with the current policy.


        As far as WMI filter goes- I have had better luck with
inclusions rather than exclusions. I would do something like:


        "Select * from Win32_OperatingSystem where Caption = "Microsoft
Windows XP Professional" 


        Hope that helps,





        From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Jason Williams
        Sent: Tue 9/11/2007 1:23 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Group Policy and Vista Firewall 

        I seem to be having some issues with Vista and Group Policy.
Looking at the policy in place, we have a Windows XP Firewall policy
applied at the root of the domain. Not sure if that is the best way to
apply, so im looking for alternatives. 


        I thought about making a WMI filter to make this Group Policy
only be applied to XP machines. Would that be a viable option? Here is
what I have for my filter (Still learning on how to make WMI filters and
script as well) 




        SELECT * FROM Win32_OperatingSystem WHERE BuildNumber !="6000"


        I was thinking to, can I make this better?

        I appreciate the help.





Other related posts: