override domain policy?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

is it possible to override a domain policy as a local admin? if so, how??
our domain admins have set xp sp2's firewall to always disabled because they
'think' it is causing problems on the network... however, i will be on the
road for a week and want the firewall on when i connect to hotel or airport
connections. as local admin on the laptop can i override that setting? if
i remove the machine from the domain (yes i know what this does to trusts
and domain accounts and it doesn't affect what i need the machine for) will
that automatically remove the policy or would i still have to do something?
10 answers Last reply
More about override domain policy
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave wrote:

    > is it possible to override a domain policy as a local admin? if so,
    > how?? our domain admins have set xp sp2's firewall to always disabled
    > because they 'think' it is causing problems on the network... however,
    > i will be on the road for a week and want the firewall on when i
    > connect to hotel or airport
    > connections. as local admin on the laptop can i override that
    > setting? if i remove the machine from the domain (yes i know what
    > this does to trusts and domain accounts and it doesn't affect what i
    > need the machine for) will that automatically remove the policy or
    > would i still have to do something?

    Check with your sysadmins to see how they want to handle this.

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You seem to be sure of yourself and your computing ability, yet you
    want to use the inferior and 'blanket' protection of Windows Firewall?
    Even the free alternatives are a much better alternative to Windows
    Firewall, espically for users who are savvy enough to figure out their
    configuration. Essentially you should talk to the admins and see about
    setting your mobile PC to change the settings when you remove yourself
    from the domain. Once you do this, you should be able to manually turn
    it on via the standard way, espically since you already have registry
    access.

    -Eric
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Malke" <noreply@invalid.com> wrote in message
    news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
    > Dave wrote:
    >
    > > is it possible to override a domain policy as a local admin? if so,
    > > how?? our domain admins have set xp sp2's firewall to always disabled
    > > because they 'think' it is causing problems on the network... however,
    > > i will be on the road for a week and want the firewall on when i
    > > connect to hotel or airport
    > > connections. as local admin on the laptop can i override that
    > > setting? if i remove the machine from the domain (yes i know what
    > > this does to trusts and domain accounts and it doesn't affect what i
    > > need the machine for) will that automatically remove the policy or
    > > would i still have to do something?
    >
    > Check with your sysadmins to see how they want to handle this.
    >

    i got their answer... they do not 'recommend' installing a firewall at this
    time becaues they 'think' it causes connectivity problems. however they
    don't travel and just worry about keeping the company lan safe, i have seen
    what can happen when an unfirewalled machine is connected to the internet
    and do not want to risk that when i need the computer on the road. i am
    free to go get my own 3rd party firewall if i want, but i would rather use
    the windows firewall.
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    ok, i found the registry keys to turn the firewall back on despite the
    policy setting. will have to instruct those admins about the difference in
    domain and standard settings i think, that may help reduce their opposition.
    just to make sure i have it right, the domain setting applies when i am
    connected on the domain's network, and the 'standard' setting applies when i
    am not plugged in there, correct?? that is what i think i am seeing, but
    only option i have here right now is the lan ethernet or an internet dialup
    connection. one thing i don't know is, will my edit of the registry keys be
    overwritten by the next policy update?

    "Dave" <noone@nowhere.com> wrote in message
    news:ubkez%23eDFHA.2572@tk2msftngp13.phx.gbl...
    >
    > "Malke" <noreply@invalid.com> wrote in message
    > news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
    > > Dave wrote:
    > >
    > > > is it possible to override a domain policy as a local admin? if so,
    > > > how?? our domain admins have set xp sp2's firewall to always disabled
    > > > because they 'think' it is causing problems on the network... however,
    > > > i will be on the road for a week and want the firewall on when i
    > > > connect to hotel or airport
    > > > connections. as local admin on the laptop can i override that
    > > > setting? if i remove the machine from the domain (yes i know what
    > > > this does to trusts and domain accounts and it doesn't affect what i
    > > > need the machine for) will that automatically remove the policy or
    > > > would i still have to do something?
    > >
    > > Check with your sysadmins to see how they want to handle this.
    > >
    >
    > i got their answer... they do not 'recommend' installing a firewall at
    this
    > time becaues they 'think' it causes connectivity problems. however they
    > don't travel and just worry about keeping the company lan safe, i have
    seen
    > what can happen when an unfirewalled machine is connected to the internet
    > and do not want to risk that when i need the computer on the road. i am
    > free to go get my own 3rd party firewall if i want, but i would rather use
    > the windows firewall.
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave wrote:
    > "Malke" <noreply@invalid.com> wrote in message
    > news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
    >> Dave wrote:
    >>
    >>> is it possible to override a domain policy as a local admin? if so,
    >>> how?? our domain admins have set xp sp2's firewall to always
    >>> disabled because they 'think' it is causing problems on the
    >>> network... however, i will be on the road for a week and want the
    >>> firewall on when i connect to hotel or airport
    >>> connections. as local admin on the laptop can i override that
    >>> setting? if i remove the machine from the domain (yes i know what
    >>> this does to trusts and domain accounts and it doesn't affect what i
    >>> need the machine for) will that automatically remove the policy or
    >>> would i still have to do something?
    >>
    >> Check with your sysadmins to see how they want to handle this.
    >>
    >
    > i got their answer... they do not 'recommend' installing a firewall
    > at this time becaues they 'think' it causes connectivity problems.
    > however they don't travel and just worry about keeping the company
    > lan safe, i have seen what can happen when an unfirewalled machine is
    > connected to the internet and do not want to risk that when i need
    > the computer on the road. i am free to go get my own 3rd party
    > firewall if i want, but i would rather use the windows firewall.

    They're being silly. Ask them to set up a group policy so that the firewalls
    are disabled when on the LAN, and enabled when not - or exclude your
    computer from this policy so that you can enable it when on the LAN (with
    exceptions set up so they can still manage the computer when on the local
    subnet of your network in the office). You do need a firewall when you're on
    an unprotected network, absolutely.
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave wrote:
    > ok, i found the registry keys to turn the firewall back on despite the
    > policy setting. will have to instruct those admins about the
    > difference in domain and standard settings i think, that may help
    > reduce their opposition. just to make sure i have it right, the
    > domain setting applies when i am connected on the domain's network,
    > and the 'standard' setting applies when i am not plugged in there,
    > correct?? that is what i think i am seeing, but only option i have
    > here right now is the lan ethernet or an internet dialup connection.
    > one thing i don't know is, will my edit of the registry keys be
    > overwritten by the next policy update?

    Probably.
    >
    > "Dave" <noone@nowhere.com> wrote in message
    > news:ubkez%23eDFHA.2572@tk2msftngp13.phx.gbl...
    >>
    >> "Malke" <noreply@invalid.com> wrote in message
    >> news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
    >>> Dave wrote:
    >>>
    >>>> is it possible to override a domain policy as a local admin? if
    >>>> so, how?? our domain admins have set xp sp2's firewall to always
    >>>> disabled because they 'think' it is causing problems on the
    >>>> network... however, i will be on the road for a week and want the
    >>>> firewall on when i connect to hotel or airport
    >>>> connections. as local admin on the laptop can i override that
    >>>> setting? if i remove the machine from the domain (yes i know what
    >>>> this does to trusts and domain accounts and it doesn't affect what
    >>>> i need the machine for) will that automatically remove the policy
    >>>> or would i still have to do something?
    >>>
    >>> Check with your sysadmins to see how they want to handle this.
    >>>
    >>
    >> i got their answer... they do not 'recommend' installing a firewall
    >> at this time becaues they 'think' it causes connectivity problems.
    >> however they don't travel and just worry about keeping the company
    >> lan safe, i have seen what can happen when an unfirewalled machine
    >> is connected to the internet and do not want to risk that when i
    >> need the computer on the road. i am free to go get my own 3rd party
    >> firewall if i want, but i would rather use the windows firewall.
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    If the computer belongs to your employer, and your employer is enforcing
    a specific policy (regardless of whether you agree or disagree), and any
    damage done is through no fault of your own, and those same admins will have
    to recover the PC/Laptop, and after a few times, their management sees time
    wasted recovering PC because they were not firewalled off the LAN, then
    Group aka Company policy will change.
    Also, in most companies, hacking the registry as you have, to contradict
    the company policy is a "termination" offense - again whether "you" think it
    is good policy or not is not the issue - the issue, you hacked your
    employer's PC and changed or went against Group aka Company Policy, which
    almost all employees agree to abide by when they are hired. Yes it has
    already been tried in many of small courts and unemployment hearings - Group
    Policy on PC/Laptops are the same as "Company Policy", considered just as
    serious as "sexual harassment", "stealing", "fraternization", etc. if you
    violate.

    --
    Star Fleet Admiral Q @ your service!
    "Google is your Friend!"
    www.google.com

    ***********************************************

    "Dave" <noone@nowhere.com> wrote in message
    news:eKOnpudDFHA.1496@TK2MSFTNGP14.phx.gbl...
    > is it possible to override a domain policy as a local admin? if so, how??
    > our domain admins have set xp sp2's firewall to always disabled because
    they
    > 'think' it is causing problems on the network... however, i will be on the
    > road for a week and want the firewall on when i connect to hotel or
    airport
    > connections. as local admin on the laptop can i override that setting?
    if
    > i remove the machine from the domain (yes i know what this does to trusts
    > and domain accounts and it doesn't affect what i need the machine for)
    will
    > that automatically remove the policy or would i still have to do
    something?
    >
    >
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave wrote:

    > ok, i found the registry keys to turn the firewall back on despite the
    > policy setting. will have to instruct those admins about the difference in
    > domain and standard settings i think, that may help reduce their opposition.
    > just to make sure i have it right, the domain setting applies when i am
    > connected on the domain's network, and the 'standard' setting applies when i
    > am not plugged in there, correct??
    Hi

    Here is how the SP2 firewall determines if it is to activate
    the domain or standard profile:

    If last-received Group Policy update DNS name match any of the
    connection-specific DNS suffixes of the currently connected
    connections (not PPP or SLIP-based) on the computer the FW's
    domain settings will be used. There is no way to change this
    behavior.

    From
    The Cable Guy - May 2004
    Network Determination Behavior for Network-Related Group Policy Settings
    http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

    <quote>
    To apply this behavior to Windows Firewall settings:

    () If the connection-specific DNS suffix of a currently connected
    connection on the computer that is not PPP or SLIP-based (such as
    an Ethernet or 802.11 wireless network adapter) matches the value
    of the
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
    Policy\History\NetworkName registry entry, Windows Firewall uses
    the domain profile.

    () If the connection-specific DNS suffix of a currently connected
    connection on the computer that is not PPP or SLIP-based does not
    match the value of the
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
    Policy\History\NetworkName registry entry, Windows Firewall uses
    the standard profile.

    You can determine the connection-specific DNS suffixes of the
    currently connected connections on the computer from the display
    of the ipconfig command issued from a command prompt.

    </quote>

    Read the Cable Guy article for more about this.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    yeah, right. i wish they would recover the laptop for me. i just spent 12
    hours feeding it cd's because one of their mandatory upgrades hosed the
    network setup on it and they couldn't figure out how to fix it. they don't
    even require that i put it on the domain, i did that just to make login to
    mail and shared drives a bit easier, something i will rarely use this
    machine for anyway. their 'policy' is that they don't want the windows
    firewall used because the 'think' is is causing unspecified connectivity
    problems, and they 'don't recommend' installing a firewall. yeah, really
    great 'policy'. i already have my own computer lab of non-domain machines
    and take care of some project specific non-domain servers at this site which
    the managers here are very happy with, if the hq IT people tried to get me
    fired over something like this they would probably be the ones to hit the
    road.

    "Admiral Q" <Star_Fleet_Admiral_Q(NOSPAM)@(SPAMNOT)hotmail.com> wrote in
    message news:OptNMzhDFHA.2600@TK2MSFTNGP09.phx.gbl...
    > If the computer belongs to your employer, and your employer is
    enforcing
    > a specific policy (regardless of whether you agree or disagree), and any
    > damage done is through no fault of your own, and those same admins will
    have
    > to recover the PC/Laptop, and after a few times, their management sees
    time
    > wasted recovering PC because they were not firewalled off the LAN, then
    > Group aka Company policy will change.
    > Also, in most companies, hacking the registry as you have, to
    contradict
    > the company policy is a "termination" offense - again whether "you" think
    it
    > is good policy or not is not the issue - the issue, you hacked your
    > employer's PC and changed or went against Group aka Company Policy, which
    > almost all employees agree to abide by when they are hired. Yes it has
    > already been tried in many of small courts and unemployment hearings -
    Group
    > Policy on PC/Laptops are the same as "Company Policy", considered just as
    > serious as "sexual harassment", "stealing", "fraternization", etc. if you
    > violate.
    >
    > --
    > Star Fleet Admiral Q @ your service!
    > "Google is your Friend!"
    > www.google.com
    >
    > ***********************************************
    >
    > "Dave" <noone@nowhere.com> wrote in message
    > news:eKOnpudDFHA.1496@TK2MSFTNGP14.phx.gbl...
    > > is it possible to override a domain policy as a local admin? if so,
    how??
    > > our domain admins have set xp sp2's firewall to always disabled because
    > they
    > > 'think' it is causing problems on the network... however, i will be on
    the
    > > road for a week and want the firewall on when i connect to hotel or
    > airport
    > > connections. as local admin on the laptop can i override that setting?
    > if
    > > i remove the machine from the domain (yes i know what this does to
    trusts
    > > and domain accounts and it doesn't affect what i need the machine for)
    > will
    > > that automatically remove the policy or would i still have to do
    > something?
    > >
    > >
    >
    >
  10. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Dave wrote:
    > yeah, right. i wish they would recover the laptop for me. i just
    > spent 12 hours feeding it cd's because one of their mandatory
    > upgrades hosed the network setup on it and they couldn't figure out
    > how to fix it. they don't even require that i put it on the domain,
    > i did that just to make login to mail and shared drives a bit easier,
    > something i will rarely use this machine for anyway. their 'policy'
    > is that they don't want the windows firewall used because the 'think'
    > is is causing unspecified connectivity problems, and they 'don't
    > recommend' installing a firewall. yeah, really great 'policy'. i
    > already have my own computer lab of non-domain machines and take care
    > of some project specific non-domain servers at this site which the
    > managers here are very happy with, if the hq IT people tried to get
    > me fired over something like this they would probably be the ones to
    > hit the road.

    Sounds like you don't get much in the way of decent tech support. Won't
    speculate as to the reason, but perhaps you should make it known to
    management (in writing!).
    >
    > "Admiral Q" <Star_Fleet_Admiral_Q(NOSPAM)@(SPAMNOT)hotmail.com> wrote
    > in message news:OptNMzhDFHA.2600@TK2MSFTNGP09.phx.gbl...
    >> If the computer belongs to your employer, and your employer is
    >> enforcing a specific policy (regardless of whether you agree or
    >> disagree), and any damage done is through no fault of your own, and
    >> those same admins will have to recover the PC/Laptop, and after a
    >> few times, their management sees time wasted recovering PC because
    >> they were not firewalled off the LAN, then Group aka Company policy
    >> will change. Also, in most companies, hacking the registry as
    >> you have, to contradict the company policy is a "termination"
    >> offense - again whether "you" think it is good policy or not is not
    >> the issue - the issue, you hacked your employer's PC and changed or
    >> went against Group aka Company Policy, which almost all employees
    >> agree to abide by when they are hired. Yes it has already been
    >> tried in many of small courts and unemployment hearings - Group
    >> Policy on PC/Laptops are the same as "Company Policy", considered
    >> just as serious as "sexual harassment", "stealing",
    >> "fraternization", etc. if you violate.
    >>
    >> --
    >> Star Fleet Admiral Q @ your service!
    >> "Google is your Friend!"
    >> www.google.com
    >>
    >> ***********************************************
    >>
    >> "Dave" <noone@nowhere.com> wrote in message
    >> news:eKOnpudDFHA.1496@TK2MSFTNGP14.phx.gbl...
    >>> is it possible to override a domain policy as a local admin? if
    >>> so, how?? our domain admins have set xp sp2's firewall to always
    >>> disabled because they 'think' it is causing problems on the
    >>> network... however, i will be on the road for a week and want the
    >>> firewall on when i connect to hotel or airport connections. as
    >>> local admin on the laptop can i override that setting? if i remove
    >>> the machine from the domain (yes i know what this does to trusts
    >>> and domain accounts and it doesn't affect what i need the machine
    >>> for) will that automatically remove the policy or would i still
    >>> have to do something?
Ask a new question

Read More

Policy Domain Windows XP