I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
4. Right click your new policy > Edit.
5. Navigate to;
[box]
Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections
[/box]
6. Set the policy to disabled.
7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).
SBS Note
An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under ‘My Business’.
Related Articles, References, Credits, or External Links
I’ve written hundreds of posts about doing things with group policies. Every time I finish one, I write a couple of paragraphs on how long to wait, or how to force the policy etc. So I’ve finally got round to writing a post I can simply reference!
How Long Before Group Policy Changes Are Applied?
This is something that hasn’t changed since I was doing Windows 2000 exams 🙂 The default interval between policies being applied is 90 minutes, plus or minus a figure between 0 and 30 minutes. (This avoids all user and computer policies being seen and applied at the same time. So between 60 minutes and 120 minutes if you are going to wait.
Now you can change this interval with group policy;
[box]
User Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users
Computer Configuration > Administrative Templates > System > Group Policy > Group Policy refresh interval for users
[/box]
As you can see, you can change the interval up to 64,800 seconds (45 days). If you set it to ‘0’ the policy updates every 7 seconds (NEVER DO THIS!) unless you’re on a test bench with a couple of computers! Personally I’ve never needed to mess around with these settings.
Solution
Force Group Policy Update From GPMC
If you have Windows 2012 server with the group policy management console installed, you can force a group policy refresh on an OU in Active Directory.
Either right click the OU, and select ‘Group Policy Update..’ (or from the Action menu) > Yes.
Some will fail, they might not be turned on, or (like some below,) they might be linux machines.
Manually Force a Group Policy Update on a Single Host
While testing new policies this command is your friend, it gives you a chance to test the result on a client instantly, (as soon as policy editing is finished). By opening an administrative command window, and running the following command.
[box]gpupdate /force[/box]
Note: Some policies require a log off/log on, or even a reboot, you should be told this after running gpupdate.
Force Group Policy Update with PowerShell
You can also get single/multiple machines/users to update their policies using PowerShell. For this to work you need Server 2012 and at least Windows 8 clients. You also need to make some changes to the machines firewalls. Luckily you can also do that with group policy, and Microsoft have already written the policy for you, (it’s in starter policies).
Within the Group Policy Management Console > Locate Stater GPOs > Group Policy Remote Update Firewall Ports > New GPO From Starter GPO > Give the new policy a name.
Link that new policy to your user/computer organisational units (as required).
You can now use the ‘Invoke-Gpupdate‘ commandlet, here I’m applying the update to the ‘Servers’ OU.
Warning: This displays output on the affected machines, and might start some users ringing the help desk!
See What Group Policies are Being Applied
Forcing them is one thing, proving they actually get to the target computers is something else. For peace of mind, and troubleshooting, it helps to see what policies have filtered down to the computers and users.
Or to see things a little more ‘granularly’. Windows Key + R > mmc {enter} > File Add/Remove Snap-In > Resultant Set of Policy > Add > OK.
Generate RSoP Data > Follow the Wizard.
When complete it will show you the ‘sum total’ of all policies being applied – it can also show you any problems that are occurring. The next best place for troubleshooting group policies is the Event Viewer on the target machine.
Related Articles, References, Credits, or External Links
Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from {hostname}{name of CA}(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Solution
Note: The pertinent information in the Event ID 13 above is 0x800706ba there are Other causes of this Event ID make sure yours is the same.
In my case I had an Exchange server that was using a certificate that had been “self signed”. And the Root CA that signed the certificate had been ungracefully removed from the domain. Take a note of the Root CA name from the Event ID error shown arrowed).
1. Launch Active Directory Sites and Services” > Select the top level object > View > Show Services Node.
2. Expand Services > Public Key Services > AIA > Delete the “Problem CA”.
3. Then select “Enrollment Services” > Delete the “Problem CA”.
If you have a New CA (in this example you would have seen it in step 2), then DO NOT perform the next two steps!!!
4. Providing you DONT have a CA now, select “Certificate Templates” and delete them all.
5. Providing you DONT have a CA now, select “Public Key Services” and delete the NTAuthCertificates item.
6. To tidy up, (On the server logging the error) run the following command:
[box] certutil -dcinfo deleteBad [/box]
7. Finally on the server logging the error run the following command to update the policies:
[box] gpupdate /force [/box]
Related Articles, References, Credits, or External Links