In news:A0EA3176-C05A-4BEB-8996-BC33FFF2D440@microsoft.com,
Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
> Just experienced a very strange situation. We have several hundred XP
> clients on an NT Domain. We disable windows firewall. Over the
> weekend we upgraded our NT 4 Domain to Windows 2003 Mixed Mode Active
> Directory. We are now seeing today and yesterday some machines have
> the windows firewall enabled. We discoverd the problem due to an
> older legacy application we have had stopped working. The application
> was working yesterday (2 days after the upgrade) but today it was
> not. The machines experiencing the problem are located in seperate
> office and seperate departments. so far we have seen only about 15
> with the firewall enabled. As we just upgraded we dont have any GPO's
> in place that would enable this. We dont have any other automated
> customization tools that were configured to do this either.
>
> Is there any log file or any way to determine when/by who the
> firewall was enabled. The users of the machines dont have admin
> rights so we know it was not them. Any insight on this one would be
> great!
>
> Thanks

Really does sound like group policy to me. Run the GPMC and see what policy
settings you have - and on the client, run gpresult in a command prompt to
see the 'resultant set of policy'

Any chance you can just add an exception for your legacy app? I personally
like leaving the firewalls enabled, but with the exceptions I wish.

We have narrowed this down some. It appears to be a problem on the XP boxes
not correctly detecting the correct firewall profile. When the boxes were
initially built they were joined to the domain as well as had the firewall
turned off, thus disabling the firewall for that profile. Now that we have
upgrade we see the machines are randomly selecting which domain profile to
use, since we do not have the firewall disabled on the standard profile when
the machine incorrectly determines which profile to use the firewall is on.
We did a lot of testing on this. We would take a single machine and not make
any changes to and just reboot it over and over. After each reboot we would
run 'netsh firewall show config' to see which profile was active. sometimes
it would be the domain profile sometimes it would be the standard profile. To
get around this temporarily we have implemented a login script element to
disable the firewall, however it stinks that we can not rely on the
workstation to determine correctly.

"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:A0EA3176-C05A-4BEB-8996-BC33FFF2D440@microsoft.com,
> Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
> > Just experienced a very strange situation. We have several hundred XP
> > clients on an NT Domain. We disable windows firewall. Over the
> > weekend we upgraded our NT 4 Domain to Windows 2003 Mixed Mode Active
> > Directory. We are now seeing today and yesterday some machines have
> > the windows firewall enabled. We discoverd the problem due to an
> > older legacy application we have had stopped working. The application
> > was working yesterday (2 days after the upgrade) but today it was
> > not. The machines experiencing the problem are located in seperate
> > office and seperate departments. so far we have seen only about 15
> > with the firewall enabled. As we just upgraded we dont have any GPO's
> > in place that would enable this. We dont have any other automated
> > customization tools that were configured to do this either.
> >
> > Is there any log file or any way to determine when/by who the
> > firewall was enabled. The users of the machines dont have admin
> > rights so we know it was not them. Any insight on this one would be
> > great!
> >
> > Thanks
>
> Really does sound like group policy to me. Run the GPMC and see what policy
> settings you have - and on the client, run gpresult in a command prompt to
> see the 'resultant set of policy'
>
> Any chance you can just add an exception for your legacy app? I personally
> like leaving the firewalls enabled, but with the exceptions I wish.
>
>
>
>

In news754EA3A-5B54-418D-8FD7-66D374950613@microsoft.com,
Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
> We have narrowed this down some. It appears to be a problem on the XP
> boxes not correctly detecting the correct firewall profile. When the
> boxes were initially built they were joined to the domain as well as
> had the firewall turned off, thus disabling the firewall for that
> profile. Now that we have upgrade we see the machines are randomly
> selecting which domain profile to use, since we do not have the
> firewall disabled on the standard profile when the machine
> incorrectly determines which profile to use the firewall is on. We
> did a lot of testing on this. We would take a single machine and not
> make any changes to and just reboot it over and over. After each
> reboot we would run 'netsh firewall show config' to see which profile
> was active. sometimes it would be the domain profile sometimes it
> would be the standard profile. To get around this temporarily we have
> implemented a login script element to disable the firewall, however
> it stinks that we can not rely on the workstation to determine
> correctly.

Hi - what do you mean by domain profile, and why can't you handle this via
GPO, and why can't you just add the exceptions you need to the firewall
rather than disabling it outright?
>
> "Lanwench [MVP - Exchange]" wrote:
>
>>
>>
>> In news:A0EA3176-C05A-4BEB-8996-BC33FFF2D440@microsoft.com,
>> Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
>>> Just experienced a very strange situation. We have several hundred
>>> XP clients on an NT Domain. We disable windows firewall. Over the
>>> weekend we upgraded our NT 4 Domain to Windows 2003 Mixed Mode
>>> Active Directory. We are now seeing today and yesterday some
>>> machines have the windows firewall enabled. We discoverd the
>>> problem due to an older legacy application we have had stopped
>>> working. The application was working yesterday (2 days after the
>>> upgrade) but today it was not. The machines experiencing the
>>> problem are located in seperate office and seperate departments. so
>>> far we have seen only about 15 with the firewall enabled. As we
>>> just upgraded we dont have any GPO's in place that would enable
>>> this. We dont have any other automated customization tools that
>>> were configured to do this either.
>>>
>>> Is there any log file or any way to determine when/by who the
>>> firewall was enabled. The users of the machines dont have admin
>>> rights so we know it was not them. Any insight on this one would be
>>> great!
>>>
>>> Thanks
>>
>> Really does sound like group policy to me. Run the GPMC and see what
>> policy settings you have - and on the client, run gpresult in a
>> command prompt to see the 'resultant set of policy'
>>
>> Any chance you can just add an exception for your legacy app? I
>> personally like leaving the firewalls enabled, but with the
>> exceptions I wish.

Windows Firewall Has Two Profiles Domain and Standard. This allows you to
have different configurations depending if the computer is on its home domain
or not. GPO is ineffective as a result of this because we want the firewall
on for the standard profile and off for the domain profile. With the machine
not detecting the correct profile it renders GPO useless.

"Lanwench [MVP - Exchange]" wrote:

>
>
> In news754EA3A-5B54-418D-8FD7-66D374950613@microsoft.com,
> Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
> > We have narrowed this down some. It appears to be a problem on the XP
> > boxes not correctly detecting the correct firewall profile. When the
> > boxes were initially built they were joined to the domain as well as
> > had the firewall turned off, thus disabling the firewall for that
> > profile. Now that we have upgrade we see the machines are randomly
> > selecting which domain profile to use, since we do not have the
> > firewall disabled on the standard profile when the machine
> > incorrectly determines which profile to use the firewall is on. We
> > did a lot of testing on this. We would take a single machine and not
> > make any changes to and just reboot it over and over. After each
> > reboot we would run 'netsh firewall show config' to see which profile
> > was active. sometimes it would be the domain profile sometimes it
> > would be the standard profile. To get around this temporarily we have
> > implemented a login script element to disable the firewall, however
> > it stinks that we can not rely on the workstation to determine
> > correctly.
>
> Hi - what do you mean by domain profile, and why can't you handle this via
> GPO, and why can't you just add the exceptions you need to the firewall
> rather than disabling it outright?
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >>
> >>
> >> In news:A0EA3176-C05A-4BEB-8996-BC33FFF2D440@microsoft.com,
> >> Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
> >>> Just experienced a very strange situation. We have several hundred
> >>> XP clients on an NT Domain. We disable windows firewall. Over the
> >>> weekend we upgraded our NT 4 Domain to Windows 2003 Mixed Mode
> >>> Active Directory. We are now seeing today and yesterday some
> >>> machines have the windows firewall enabled. We discoverd the
> >>> problem due to an older legacy application we have had stopped
> >>> working. The application was working yesterday (2 days after the
> >>> upgrade) but today it was not. The machines experiencing the
> >>> problem are located in seperate office and seperate departments. so
> >>> far we have seen only about 15 with the firewall enabled. As we
> >>> just upgraded we dont have any GPO's in place that would enable
> >>> this. We dont have any other automated customization tools that
> >>> were configured to do this either.
> >>>
> >>> Is there any log file or any way to determine when/by who the
> >>> firewall was enabled. The users of the machines dont have admin
> >>> rights so we know it was not them. Any insight on this one would be
> >>> great!
> >>>
> >>> Thanks
> >>
> >> Really does sound like group policy to me. Run the GPMC and see what
> >> policy settings you have - and on the client, run gpresult in a
> >> command prompt to see the 'resultant set of policy'
> >>
> >> Any chance you can just add an exception for your legacy app? I
> >> personally like leaving the firewalls enabled, but with the
> >> exceptions I wish.
>
>
>

In news:891F413E-F97B-4ACF-A57F-8137A15DAE12@microsoft.com,
Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
> Windows Firewall Has Two Profiles Domain and Standard. This allows
> you to have different configurations depending if the computer is on
> its home domain or not. GPO is ineffective as a result of this
> because we want the firewall on for the standard profile and off for
> the domain profile. With the machine not detecting the correct
> profile it renders GPO useless.

Hmmm - well, I don't have an NT domain (I haven't had to touch NT in years)
and am not sure what difference it make that you migrated from one, if
any...but in W2003 you should be able to specify that that when they
machines are on the domain they have the settings you wish, and when they're
off the domain they have the settings you wish. Personally, I leave the
firewall enabled all the time, actually, with exceptions set for whatever I
need, from the business network's IP range only.

Have you tried posting in m.p.windows.group_policy? This is precisely what
policies are for...

Sorry I can't help further

>
> "Lanwench [MVP - Exchange]" wrote:
>
>>
>>
>> In news754EA3A-5B54-418D-8FD7-66D374950613@microsoft.com,
>> Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
>>> We have narrowed this down some. It appears to be a problem on the
>>> XP boxes not correctly detecting the correct firewall profile.
>>> When the boxes were initially built they were joined to the domain
>>> as well as had the firewall turned off, thus disabling the firewall
>>> for that profile. Now that we have upgrade we see the machines are
>>> randomly selecting which domain profile to use, since we do not
>>> have the firewall disabled on the standard profile when the machine
>>> incorrectly determines which profile to use the firewall is on. We
>>> did a lot of testing on this. We would take a single machine and not
>>> make any changes to and just reboot it over and over. After each
>>> reboot we would run 'netsh firewall show config' to see which
>>> profile was active. sometimes it would be the domain profile
>>> sometimes it would be the standard profile. To get around this
>>> temporarily we have implemented a login script element to disable
>>> the firewall, however it stinks that we can not rely on the
>>> workstation to determine correctly.
>>
>> Hi - what do you mean by domain profile, and why can't you handle
>> this via GPO, and why can't you just add the exceptions you need to
>> the firewall rather than disabling it outright?
>>>
>>> "Lanwench [MVP - Exchange]" wrote:
>>>
>>>>
>>>>
>>>> In news:A0EA3176-C05A-4BEB-8996-BC33FFF2D440@microsoft.com,
>>>> Dave Petzel <DavePetzel@discussions.microsoft.com> typed:
>>>>> Just experienced a very strange situation. We have several hundred
>>>>> XP clients on an NT Domain. We disable windows firewall. Over the
>>>>> weekend we upgraded our NT 4 Domain to Windows 2003 Mixed Mode
>>>>> Active Directory. We are now seeing today and yesterday some
>>>>> machines have the windows firewall enabled. We discoverd the
>>>>> problem due to an older legacy application we have had stopped
>>>>> working. The application was working yesterday (2 days after the
>>>>> upgrade) but today it was not. The machines experiencing the
>>>>> problem are located in seperate office and seperate departments.
>>>>> so far we have seen only about 15 with the firewall enabled. As we
>>>>> just upgraded we dont have any GPO's in place that would enable
>>>>> this. We dont have any other automated customization tools that
>>>>> were configured to do this either.
>>>>>
>>>>> Is there any log file or any way to determine when/by who the
>>>>> firewall was enabled. The users of the machines dont have admin
>>>>> rights so we know it was not them. Any insight on this one would
>>>>> be great!
>>>>>
>>>>> Thanks
>>>>
>>>> Really does sound like group policy to me. Run the GPMC and see
>>>> what policy settings you have - and on the client, run gpresult in
>>>> a command prompt to see the 'resultant set of policy'
>>>>
>>>> Any chance you can just add an exception for your legacy app? I
>>>> personally like leaving the firewalls enabled, but with the
>>>> exceptions I wish.

Dave Petzel wrote:
> Windows Firewall Has Two Profiles Domain and Standard. This allows you to
> have different configurations depending if the computer is on its home domain
> or not. GPO is ineffective as a result of this because we want the firewall
> on for the standard profile and off for the domain profile. With the machine
> not detecting the correct profile it renders GPO useless.
>
Hi,

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/com...uy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx