[gptalk] Re: Group Policy and Vista Firewall
- From: "Jason Williams" <jasonwilliams74@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Thu, 13 Sep 2007 14:04:27 -0700
Well, just applied the WMI filter and that seemed to fix it. Starts up fine
now.
On 9/13/07, Jason Williams <jasonwilliams74@xxxxxxxxx> wrote:
>
> As far as the AV interacting with the software, not to my knowledge. We
> are using Symantec Corporate, I believe 10.2.
>
> Besides that, the all the other policies appear to be fine.
>
> Thanks for the help.
>
> Jason
>
> On 9/13/07, Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > Jason,
> >
> >
> >
> > By any chance does the workstation antivirus software have any
> > interaction with the firewall? If so I would try the policy on a clean
> > Vista machine with AV just to get a controlled test to isolate the policy
> > versus the desktop configuration
> >
> >
> >
> > Every other policy is getting applied fine to the Vista workstations?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Jason Williams
> > *Sent:* Thursday, September 13, 2007 11:37 AM
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Re: Group Policy and Vista Firewall
> >
> >
> >
> > Looks like, even after recreating the policy on a Vista machine, still
> > causes a problem. Its weird. I disable the Firewall policy, I can start the
> > firewall on Vista. I enable it, it throws an errors.
> >
> > My next step would be to apply a WMI filter so the policy is only
> > applied to XP machines (probably not a bad idea anyway).
> >
> >
> >
> > So just use:
> >
> >
> >
> > SELECT * from Win32_OperatingSystem WHERE Caption LIKE "%Microsoft
> > Windows XP%"
> >
> >
> >
> > Should do the trick, correct?
> >
> >
> >
> > Thanks.
> >
> >
> > JW
> >
> >
> >
> > On 9/11/07, *Delaney, Doug* <doug.delaney@xxxxxxx> wrote:
> >
> > For the WMI portion, I certainly prefer the Like "% Windows XP%" method
> > since professional is spelled differently in some languages.
> >
> >
> >
> > working examples.
> >
> > SELECT * from Win32_OperatingSystem WHERE Caption LIKE "Microsoft
> > Windows XP%"
> >
> > SELECT * from Win32_OperatingSystem WHERE Caption LIKE "%Windows Vista%"
> >
> >
> >
> >
> > *Doug Delaney*
> > EDS - Integration Engineering-GM
> > GM Desktop Engineering
> > 1075 W. Entrance Dr., MS 2B, Cube 2130
> > Auburn Hills, MI 48326
> > Lab:* **248-365-9187*
> > Tel: 248-754-7917
> > Pg: 248-870-0306 pager
> > Mail: Doug.Delaney@xxxxxxx
> > Note: The information in this email is intended solely for the
> > addressee. Access to this email by anyone else is unauthorized. If you are
> > not the intended recipient, any disclosure, copying, distribution or any
> > action taken or omitted to be taken in reliance on it is prohibited.
> >
> >
> >
> >
> > ------------------------------
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto: gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Jason Williams
> > *Sent:* Tuesday, September 11, 2007 5:10 PM
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Re: Group Policy and Vista Firewall
> >
> >
> >
> > Hi Omar,
> >
> >
> >
> > The problems we are having is that we can not start the Vista Firewall.
> > Just fails. yet, if we take a computer out of the domain, firewall starts
> > up. My conclusion is that the GPO was causing the issue.
> >
> >
> >
> > Basically, i've been working to try and clear up the GPO's here and make
> > them more efficient. Right now, they hvae the GPO's to allow RDP access to
> > XP machines as well as a few other exceptions to access the machines. It
> > does not really sit well with me that it is a "broad" brush stroke at the
> > domain level with this policy.
> >
> >
> >
> > I'll recreating the policy on a Vista machine, see if that does
> > anything.
> >
> >
> >
> > for the WMI portion, I can actually specifiy "Microsoft Windows XP
> > Professional?"
> > After I posted my thread, I thought, "It would be better if I
> > specifically indicated a OS. More specific.
> >
> >
> > Thanks.
> >
> >
> > Jason
> >
> >
> >
> > On 9/11/07, *Omar Droubi* <omar@xxxxxxxxxxxxxxxxxxxxx > wrote:
> >
> > Well 1st- what issues are you having with the GPO and Vista?
> >
> >
> >
> > 2nd- What exactly are you doing in your FW policy? Just curious since it
> > applying to all workstations and servers on your network
> >
> >
> >
> > 3rd- If placing the FW GPO is correct at the domain level, log on to the
> > Vista machine, open GPMC and create the a new policy with the same settings
> > and replace the existing one.
> >
> >
> >
> > Policies created on Vista workstations will be backward compatible as
> > far as functionality goes- but you should not administer those policies
> > using GP editor or GPMC from any other operating system except vista and
> > Windows Server 2008.
> >
> >
> > Creating the GPO on Vista may help resolve any compatibility issues you
> > are having on the vista workstations- and it should continue to work on the
> > XP machines as you have in place with the current policy.
> >
> >
> >
> > As far as WMI filter goes- I have had better luck with inclusions rather
> > than exclusions. I would do something like:
> >
> >
> >
> > "Select * from Win32_OperatingSystem where Caption = "Microsoft Windows
> > XP Professional"
> >
> >
> >
> > Hope that helps,
> >
> >
> >
> > Omar
> >
> >
> > ------------------------------
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx on behalf of Jason Williams
> > *Sent:* Tue 9/11/2007 1:23 PM
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Group Policy and Vista Firewall
> >
> >
> >
> > I seem to be having some issues with Vista and Group Policy. Looking at
> > the policy in place, we have a Windows XP Firewall policy applied at the
> > root of the domain. Not sure if that is the best way to apply, so im looking
> > for alternatives.
> >
> >
> >
> > I thought about making a WMI filter to make this Group Policy only be
> > applied to XP machines. Would that be a viable option? Here is what I have
> > for my filter (Still learning on how to make WMI filters and script as well)
> >
> >
> >
> >
> > root\CIMv2
> >
> >
> >
> > SELECT * FROM Win32_OperatingSystem WHERE BuildNumber !="6000"
> >
> >
> >
> > I was thinking to, can I make this better?
> >
> >
> > I appreciate the help.
> >
> >
> >
> > Jason
> >
> >
> >
> >
> >
>
>
Other related posts:
