disabling/enabling firewall with unprivileged user accounts

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi!
I have a 30 XP pro machine lab in a windows 2003 server domain.
For some classes it is necessary to change the workstation's firewall
settings, or even disable it completly, and then enable it for the following
class. Please correct me if I'm wrong, but I can't see a way of doing this on
the 2003 server through AD.
i was thinking about a script, but since they are unprivileged users, the
can't run it, right ?
Any help is welcome!
Thanks
Best regards.
David
 
Hi ! thanks for the reply.
I tested a netsh firewall reset, without running sharedaccess.reg, and that
cleaned all my previous firewall rules.
The problem here is that I have already rules set up that i want to keep
after this class is over. I also didn't understand if this allows an
ordinary unprivileged domain user to disable and then enable previous
firewall settings.
Any idea ?
Thanks !
David
 
You are right they need to be local administrators. I don't know of any easy
workaround for you but what I would look at is using Group Policy startup or
shutdown scripts which run in system context that you might be able to make
some use of. If the computers are shut down before classes change you could
try to have different Group Policy settings for what you need for the
various classes and then change the Group Policy before the new class and
run gpupdate on the domain controller and hopefully when the computers
startup again they will have the new Group Policy firewall settings or
possibly even try a logon script with gpupdate which offhand I can't
remember if that works for a regular user. You could have several Group
Policies configured for just the firewall settings and linked to the
container that the computers are in and enable only the one you want for the
new class. You can use rsop.msc on a XP Pro domain member to see the current
Group Policy settings for a user/computer and the GPO that is enforcing the
setting. --- Steve
 
Hi !
Thanks for the reply. I could use that, but the problem is that can't set
different policy groups on the workstations,because all of them may be used
in that class.
Also I can't do that for users, because my server has a trust relationship
to another server, and that one is doing authentication. I've found the
registry keys that enable/disable firewall settings for domain profile and
standard profile (don't know yet the difference). I will find some remote
registry editing tool, and i can do that from the server. Now, it's just a
matter of finding a tool like that!
thanks
David
 
As far as Group Policy I was proposing that you have one for each class that
had nothing but the Windows Firewall settings you want name Class1FW,
Class2FW, or such. Then you enable just the one you want before class and
run gpupdate on the dc as you can enable/disable a GPO without unlinking or
deleting it. Then when the computers start up for the new class they should
check the domain controller for Group Policy and apply the GPO that is
active for the FW settings.

As far as trusts between domains/forests that has nothing to do with Group
Policy. You manage what Group Policy applies to users by where the GPO is
applied and where the user/computer accounts are located as far as
containers/OUs. Of course you would need the ability to create and manage
Group Policies and the Active Directory objects that are used in your
classes [users/computers] The domain profile applies when the computer
detects that it is connected to the domain and the standard profile is used
when the computer does not such as for remote laptop users.

You can edit the registry remotely using your computer via regedit/file -
connect network registry assuming you have file and print sharing access to
the computers. Another possibility is you could the utility psexec from
SysInternals to run commands on remote computers that you have administrator
access to and file and print sharing connectivity. You could use it for
instance to run .reg files that could change the registry. Psexec has the
ability to run a command against a list of computers in a text file that
could help automate the process. --- Steve

http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/kb/310516 --- info on using .reg files
 
As far as Group Policy I was proposing that you have one for each class that
had nothing but the Windows Firewall settings you want name Class1FW,
Class2FW, or such. Then you enable just the one you want before class and
run gpupdate on the dc as you can enable/disable a GPO without unlinking or
deleting it. Then when the computers start up for the new class they should
check the domain controller for Group Policy and apply the GPO that is
active for the FW settings.

As far as trusts between domains/forests that has nothing to do with Group
Policy. You manage what Group Policy applies to users by where the GPO is
applied and where the user/computer accounts are located as far as
containers/OUs. Of course you would need the ability to create and manage
Group Policies and the Active Directory objects that are used in your
classes [users/computers] The domain profile applies when the computer
detects that it is connected to the domain and the standard profile is used
when the computer does not such as for remote laptop users.

You can edit the registry remotely using your computer via regedit/file -
connect network registry assuming you have file and print sharing access to
the computers. Another possibility is you could the utility psexec from
SysInternals to run commands on remote computers that you have administrator
access to and file and print sharing connectivity. You could use it for
instance to run .reg files that could change the registry. Psexec has the
ability to run a command against a list of computers in a text file that
could help automate the process. --- Steve

http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/kb/310516 --- info on using .reg files
 
Hi !
Ok, thanks ! I'll take a look at those !
Best regards.
David

Steven L Umbach said:
As far as Group Policy I was proposing that you have one for each class that
had nothing but the Windows Firewall settings you want name Class1FW,
Class2FW, or such. Then you enable just the one you want before class and
run gpupdate on the dc as you can enable/disable a GPO without unlinking or
deleting it. Then when the computers start up for the new class they should
check the domain controller for Group Policy and apply the GPO that is
active for the FW settings.

As far as trusts between domains/forests that has nothing to do with Group
Policy. You manage what Group Policy applies to users by where the GPO is
applied and where the user/computer accounts are located as far as
containers/OUs. Of course you would need the ability to create and manage
Group Policies and the Active Directory objects that are used in your
classes [users/computers] The domain profile applies when the computer
detects that it is connected to the domain and the standard profile is used
when the computer does not such as for remote laptop users.

You can edit the registry remotely using your computer via regedit/file -
connect network registry assuming you have file and print sharing access to
the computers. Another possibility is you could the utility psexec from
SysInternals to run commands on remote computers that you have administrator
access to and file and print sharing connectivity. You could use it for
instance to run .reg files that could change the registry. Psexec has the
ability to run a command against a list of computers in a text file that
could help automate the process. --- Steve

http://www.sysinternals.com/Utilities/PsExec.html --- psexec
http://support.microsoft.com/kb/310516 --- info on using .reg files

david carvalho said:
Hi !
Thanks for the reply. I could use that, but the problem is that can't set
different policy groups on the workstations,because all of them may be
used
in that class.
Also I can't do that for users, because my server has a trust relationship
to another server, and that one is doing authentication. I've found the
registry keys that enable/disable firewall settings for domain profile and
standard profile (don't know yet the difference). I will find some remote
registry editing tool, and i can do that from the server. Now, it's just a
matter of finding a tool like that!
thanks
David
Click to expand...
Click to expand...
 
Back
Top