AD GPO to control Windows Firewall Settings

  • Thread starter Thread starter MA P
  • Start date Start date
M

MA P

I have Windows 2000 DCs and Windows XP Pro SP2 clients. Can GPO on AD
control Windows Firewall Settings?
 
Hi,

ADM files are Group Policy files. They are changed and modified with each OS
upgrade. The nice thing about them is they are all inclusive so you can run
Windows 2003 Service Pack 1 ADM's on a Windows 2000 Server.

You can download the most recent copy here
http://www.microsoft.com/downloads/...4b-7112-4b6c-ad4a-bbf3802a5c9b&DisplayLang=en

Copy the ADM's into the inf folder on ALL your DC's and any machines running
adminpak.msi to modify Group Policy.

Don't worry, any settings you have already won't change. However, Group
Policy will look a little different structure wise with a lot more policies.

Cheers,
Lara
 
In
Andrei Ungureanu said:
yes. You need to use the proper adm files:
http://download.microsoft.com/downl...1-8665-8a67781ac4e8/WF_XPSP2.doc#_Toc85246651
Click to expand...

<raises hand, shyly>

I have a question about this. I've got so few W2k domains left this is
rarely an issue for me, but am wondering - if I install GPMC on an XP SP2
client, and open it while logged in as a domain admin, all of this seems to
work. I've looked at that document, and I'm OK with the firewall policy
settings, which seems to be mainly what it's concerned with.

My real question is, if I subsequently open/close that particular GPO from
the W2k server, will it change the policy such that I won't get to see the
cool new stuff again if I view the policy again from an XP client? As in, is
there some sort of overwriting that takes place when one opens it on the
server?

I'm not sure I've gone about this the right way and would love to avoid
future headaches.
 
Hi,
My real question is, if I subsequently open/close that particular GPO from
the W2k server, will it change the policy such that I won't get to see the
cool new stuff again if I view the policy again from an XP client?
No.

As in, is there some sort of overwriting that takes place when one opens
it on the server?
I'm not sure I've gone about this the right way and would love to avoid
future headaches.
Click to expand...

It only can cause errors, if the local existing ADM files are newer
than the ones inside the sysvol\...\{guidofPol}\ADM folder.
Perhaps you edit your system.adm on the 2000 DC to extend
the nodrives feature.

There is a automatic update feature, that is enabled by default. Thats
the MS way to update the GPO, if you are using a client with a new SP.

This can be disabled. Take a look at:
Userconf\Admtempl\Sytem\Group Policy
"Deactivate automatic update of adm templates"

Mark
 
Hi,

To fix this Manually copy ALL the ADM files from the Windows XP SP2
C:\Windows\inf folder to the C:\Winnt\inf Folder on ALL your DC's and
overwrite the old Windows 2000 ones. The ADM's are accumulative and the new
ones run perfectly well on Windows 2000.

Personally I think that Microsoft should always recommend the Manual Copying
of the ADM's to the DC's rather than this "run GPMC on a Windows XP machine
etc"

I think that with the Newest Version of Windows Server to come out they
should figure out a way to have only ONE system.adm for all the policies
instead of redundantly copying a system.adm into EACH policy folder so you
end up with about 50 copies in the SYSVOL. I know when my Server HD's were
filling up, everytime I created another policy it would add 1.5MB of ADM
copies to the Harddrive.

Cheers,
Lara
 
Per your comments at the end of your post - you will be seeing
changes that address much of what you have indicated.
 
Glad to hear. I always thought using multiple copies of the ADM's made no
sense especially when they were identical duplicates.

Cheers,
Lara
 
I receive error after overwriting the existing system.adm with the one from
Windows XP Prof SP2. Is that normal?
 
Back
Top