Sign in with
Sign up | Sign in
Your question

override domain policy?

Last response: in Windows XP
Share
February 8, 2005 10:42:32 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

is it possible to override a domain policy as a local admin? if so, how??
our domain admins have set xp sp2's firewall to always disabled because they
'think' it is causing problems on the network... however, i will be on the
road for a week and want the firewall on when i connect to hotel or airport
connections. as local admin on the laptop can i override that setting? if
i remove the machine from the domain (yes i know what this does to trusts
and domain accounts and it doesn't affect what i need the machine for) will
that automatically remove the policy or would i still have to do something?

More about : override domain policy

February 8, 2005 10:42:33 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:

> is it possible to override a domain policy as a local admin? if so,
> how?? our domain admins have set xp sp2's firewall to always disabled
> because they 'think' it is causing problems on the network... however,
> i will be on the road for a week and want the firewall on when i
> connect to hotel or airport
> connections. as local admin on the laptop can i override that
> setting? if i remove the machine from the domain (yes i know what
> this does to trusts and domain accounts and it doesn't affect what i
> need the machine for) will that automatically remove the policy or
> would i still have to do something?

Check with your sysadmins to see how they want to handle this.

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Anonymous
February 8, 2005 11:33:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You seem to be sure of yourself and your computing ability, yet you
want to use the inferior and 'blanket' protection of Windows Firewall?
Even the free alternatives are a much better alternative to Windows
Firewall, espically for users who are savvy enough to figure out their
configuration. Essentially you should talk to the admins and see about
setting your mobile PC to change the settings when you remove yourself
from the domain. Once you do this, you should be able to manually turn
it on via the standard way, espically since you already have registry
access.

-Eric
Related resources
February 8, 2005 1:05:59 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Malke" <noreply@invalid.com> wrote in message
news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
> Dave wrote:
>
> > is it possible to override a domain policy as a local admin? if so,
> > how?? our domain admins have set xp sp2's firewall to always disabled
> > because they 'think' it is causing problems on the network... however,
> > i will be on the road for a week and want the firewall on when i
> > connect to hotel or airport
> > connections. as local admin on the laptop can i override that
> > setting? if i remove the machine from the domain (yes i know what
> > this does to trusts and domain accounts and it doesn't affect what i
> > need the machine for) will that automatically remove the policy or
> > would i still have to do something?
>
> Check with your sysadmins to see how they want to handle this.
>

i got their answer... they do not 'recommend' installing a firewall at this
time becaues they 'think' it causes connectivity problems. however they
don't travel and just worry about keeping the company lan safe, i have seen
what can happen when an unfirewalled machine is connected to the internet
and do not want to risk that when i need the computer on the road. i am
free to go get my own 3rd party firewall if i want, but i would rather use
the windows firewall.
February 8, 2005 2:11:26 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

ok, i found the registry keys to turn the firewall back on despite the
policy setting. will have to instruct those admins about the difference in
domain and standard settings i think, that may help reduce their opposition.
just to make sure i have it right, the domain setting applies when i am
connected on the domain's network, and the 'standard' setting applies when i
am not plugged in there, correct?? that is what i think i am seeing, but
only option i have here right now is the lan ethernet or an internet dialup
connection. one thing i don't know is, will my edit of the registry keys be
overwritten by the next policy update?

"Dave" <noone@nowhere.com> wrote in message
news:ubkez%23eDFHA.2572@tk2msftngp13.phx.gbl...
>
> "Malke" <noreply@invalid.com> wrote in message
> news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
> > Dave wrote:
> >
> > > is it possible to override a domain policy as a local admin? if so,
> > > how?? our domain admins have set xp sp2's firewall to always disabled
> > > because they 'think' it is causing problems on the network... however,
> > > i will be on the road for a week and want the firewall on when i
> > > connect to hotel or airport
> > > connections. as local admin on the laptop can i override that
> > > setting? if i remove the machine from the domain (yes i know what
> > > this does to trusts and domain accounts and it doesn't affect what i
> > > need the machine for) will that automatically remove the policy or
> > > would i still have to do something?
> >
> > Check with your sysadmins to see how they want to handle this.
> >
>
> i got their answer... they do not 'recommend' installing a firewall at
this
> time becaues they 'think' it causes connectivity problems. however they
> don't travel and just worry about keeping the company lan safe, i have
seen
> what can happen when an unfirewalled machine is connected to the internet
> and do not want to risk that when i need the computer on the road. i am
> free to go get my own 3rd party firewall if i want, but i would rather use
> the windows firewall.
>
>
Anonymous
February 8, 2005 2:31:59 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:
> "Malke" <noreply@invalid.com> wrote in message
> news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
>> Dave wrote:
>>
>>> is it possible to override a domain policy as a local admin? if so,
>>> how?? our domain admins have set xp sp2's firewall to always
>>> disabled because they 'think' it is causing problems on the
>>> network... however, i will be on the road for a week and want the
>>> firewall on when i connect to hotel or airport
>>> connections. as local admin on the laptop can i override that
>>> setting? if i remove the machine from the domain (yes i know what
>>> this does to trusts and domain accounts and it doesn't affect what i
>>> need the machine for) will that automatically remove the policy or
>>> would i still have to do something?
>>
>> Check with your sysadmins to see how they want to handle this.
>>
>
> i got their answer... they do not 'recommend' installing a firewall
> at this time becaues they 'think' it causes connectivity problems.
> however they don't travel and just worry about keeping the company
> lan safe, i have seen what can happen when an unfirewalled machine is
> connected to the internet and do not want to risk that when i need
> the computer on the road. i am free to go get my own 3rd party
> firewall if i want, but i would rather use the windows firewall.

They're being silly. Ask them to set up a group policy so that the firewalls
are disabled when on the LAN, and enabled when not - or exclude your
computer from this policy so that you can enable it when on the LAN (with
exceptions set up so they can still manage the computer when on the local
subnet of your network in the office). You do need a firewall when you're on
an unprotected network, absolutely.
Anonymous
February 8, 2005 2:32:20 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:
> ok, i found the registry keys to turn the firewall back on despite the
> policy setting. will have to instruct those admins about the
> difference in domain and standard settings i think, that may help
> reduce their opposition. just to make sure i have it right, the
> domain setting applies when i am connected on the domain's network,
> and the 'standard' setting applies when i am not plugged in there,
> correct?? that is what i think i am seeing, but only option i have
> here right now is the lan ethernet or an internet dialup connection.
> one thing i don't know is, will my edit of the registry keys be
> overwritten by the next policy update?

Probably.
>
> "Dave" <noone@nowhere.com> wrote in message
> news:ubkez%23eDFHA.2572@tk2msftngp13.phx.gbl...
>>
>> "Malke" <noreply@invalid.com> wrote in message
>> news:eaDUboeDFHA.2180@TK2MSFTNGP12.phx.gbl...
>>> Dave wrote:
>>>
>>>> is it possible to override a domain policy as a local admin? if
>>>> so, how?? our domain admins have set xp sp2's firewall to always
>>>> disabled because they 'think' it is causing problems on the
>>>> network... however, i will be on the road for a week and want the
>>>> firewall on when i connect to hotel or airport
>>>> connections. as local admin on the laptop can i override that
>>>> setting? if i remove the machine from the domain (yes i know what
>>>> this does to trusts and domain accounts and it doesn't affect what
>>>> i need the machine for) will that automatically remove the policy
>>>> or would i still have to do something?
>>>
>>> Check with your sysadmins to see how they want to handle this.
>>>
>>
>> i got their answer... they do not 'recommend' installing a firewall
>> at this time becaues they 'think' it causes connectivity problems.
>> however they don't travel and just worry about keeping the company
>> lan safe, i have seen what can happen when an unfirewalled machine
>> is connected to the internet and do not want to risk that when i
>> need the computer on the road. i am free to go get my own 3rd party
>> firewall if i want, but i would rather use the windows firewall.
Anonymous
February 8, 2005 6:28:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If the computer belongs to your employer, and your employer is enforcing
a specific policy (regardless of whether you agree or disagree), and any
damage done is through no fault of your own, and those same admins will have
to recover the PC/Laptop, and after a few times, their management sees time
wasted recovering PC because they were not firewalled off the LAN, then
Group aka Company policy will change.
Also, in most companies, hacking the registry as you have, to contradict
the company policy is a "termination" offense - again whether "you" think it
is good policy or not is not the issue - the issue, you hacked your
employer's PC and changed or went against Group aka Company Policy, which
almost all employees agree to abide by when they are hired. Yes it has
already been tried in many of small courts and unemployment hearings - Group
Policy on PC/Laptops are the same as "Company Policy", considered just as
serious as "sexual harassment", "stealing", "fraternization", etc. if you
violate.

--
Star Fleet Admiral Q @ your service!
"Google is your Friend!"
www.google.com

***********************************************

"Dave" <noone@nowhere.com> wrote in message
news:eKOnpudDFHA.1496@TK2MSFTNGP14.phx.gbl...
> is it possible to override a domain policy as a local admin? if so, how??
> our domain admins have set xp sp2's firewall to always disabled because
they
> 'think' it is causing problems on the network... however, i will be on the
> road for a week and want the firewall on when i connect to hotel or
airport
> connections. as local admin on the laptop can i override that setting?
if
> i remove the machine from the domain (yes i know what this does to trusts
> and domain accounts and it doesn't affect what i need the machine for)
will
> that automatically remove the policy or would i still have to do
something?
>
>
Anonymous
February 8, 2005 11:21:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:

> ok, i found the registry keys to turn the firewall back on despite the
> policy setting. will have to instruct those admins about the difference in
> domain and standard settings i think, that may help reduce their opposition.
> just to make sure i have it right, the domain setting applies when i am
> connected on the domain's network, and the 'standard' setting applies when i
> am not plugged in there, correct??
Hi

Here is how the SP2 firewall determines if it is to activate
the domain or standard profile:

If last-received Group Policy update DNS name match any of the
connection-specific DNS suffixes of the currently connected
connections (not PPP or SLIP-based) on the computer the FW's
domain settings will be used. There is no way to change this
behavior.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cabl...

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.

You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
February 9, 2005 10:52:06 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

yeah, right. i wish they would recover the laptop for me. i just spent 12
hours feeding it cd's because one of their mandatory upgrades hosed the
network setup on it and they couldn't figure out how to fix it. they don't
even require that i put it on the domain, i did that just to make login to
mail and shared drives a bit easier, something i will rarely use this
machine for anyway. their 'policy' is that they don't want the windows
firewall used because the 'think' is is causing unspecified connectivity
problems, and they 'don't recommend' installing a firewall. yeah, really
great 'policy'. i already have my own computer lab of non-domain machines
and take care of some project specific non-domain servers at this site which
the managers here are very happy with, if the hq IT people tried to get me
fired over something like this they would probably be the ones to hit the
road.

"Admiral Q" <Star_Fleet_Admiral_Q(NOSPAM)@(SPAMNOT)hotmail.com> wrote in
message news:o ptNMzhDFHA.2600@TK2MSFTNGP09.phx.gbl...
> If the computer belongs to your employer, and your employer is
enforcing
> a specific policy (regardless of whether you agree or disagree), and any
> damage done is through no fault of your own, and those same admins will
have
> to recover the PC/Laptop, and after a few times, their management sees
time
> wasted recovering PC because they were not firewalled off the LAN, then
> Group aka Company policy will change.
> Also, in most companies, hacking the registry as you have, to
contradict
> the company policy is a "termination" offense - again whether "you" think
it
> is good policy or not is not the issue - the issue, you hacked your
> employer's PC and changed or went against Group aka Company Policy, which
> almost all employees agree to abide by when they are hired. Yes it has
> already been tried in many of small courts and unemployment hearings -
Group
> Policy on PC/Laptops are the same as "Company Policy", considered just as
> serious as "sexual harassment", "stealing", "fraternization", etc. if you
> violate.
>
> --
> Star Fleet Admiral Q @ your service!
> "Google is your Friend!"
> www.google.com
>
> ***********************************************
>
> "Dave" <noone@nowhere.com> wrote in message
> news:eKOnpudDFHA.1496@TK2MSFTNGP14.phx.gbl...
> > is it possible to override a domain policy as a local admin? if so,
how??
> > our domain admins have set xp sp2's firewall to always disabled because
> they
> > 'think' it is causing problems on the network... however, i will be on
the
> > road for a week and want the firewall on when i connect to hotel or
> airport
> > connections. as local admin on the laptop can i override that setting?
> if
> > i remove the machine from the domain (yes i know what this does to
trusts
> > and domain accounts and it doesn't affect what i need the machine for)
> will
> > that automatically remove the policy or would i still have to do
> something?
> >
> >
>
>
Anonymous
February 13, 2005 12:35:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave wrote:
> yeah, right. i wish they would recover the laptop for me. i just
> spent 12 hours feeding it cd's because one of their mandatory
> upgrades hosed the network setup on it and they couldn't figure out
> how to fix it. they don't even require that i put it on the domain,
> i did that just to make login to mail and shared drives a bit easier,
> something i will rarely use this machine for anyway. their 'policy'
> is that they don't want the windows firewall used because the 'think'
> is is causing unspecified connectivity problems, and they 'don't
> recommend' installing a firewall. yeah, really great 'policy'. i
> already have my own computer lab of non-domain machines and take care
> of some project specific non-domain servers at this site which the
> managers here are very happy with, if the hq IT people tried to get
> me fired over something like this they would probably be the ones to
> hit the road.

Sounds like you don't get much in the way of decent tech support. Won't
speculate as to the reason, but perhaps you should make it known to
management (in writing!).
>
> "Admiral Q" <Star_Fleet_Admiral_Q(NOSPAM)@(SPAMNOT)hotmail.com> wrote
> in message news:o ptNMzhDFHA.2600@TK2MSFTNGP09.phx.gbl...
>> If the computer belongs to your employer, and your employer is
>> enforcing a specific policy (regardless of whether you agree or
>> disagree), and any damage done is through no fault of your own, and
>> those same admins will have to recover the PC/Laptop, and after a
>> few times, their management sees time wasted recovering PC because
>> they were not firewalled off the LAN, then Group aka Company policy
>> will change. Also, in most companies, hacking the registry as
>> you have, to contradict the company policy is a "termination"
>> offense - again whether "you" think it is good policy or not is not
>> the issue - the issue, you hacked your employer's PC and changed or
>> went against Group aka Company Policy, which almost all employees
>> agree to abide by when they are hired. Yes it has already been
>> tried in many of small courts and unemployment hearings - Group
>> Policy on PC/Laptops are the same as "Company Policy", considered
>> just as serious as "sexual harassment", "stealing",
>> "fraternization", etc. if you violate.
>>
>> --
>> Star Fleet Admiral Q @ your service!
>> "Google is your Friend!"
>> www.google.com
>>
>> ***********************************************
>>
>> "Dave" <noone@nowhere.com> wrote in message
>> news:eKOnpudDFHA.1496@TK2MSFTNGP14.phx.gbl...
>>> is it possible to override a domain policy as a local admin? if
>>> so, how?? our domain admins have set xp sp2's firewall to always
>>> disabled because they 'think' it is causing problems on the
>>> network... however, i will be on the road for a week and want the
>>> firewall on when i connect to hotel or airport connections. as
>>> local admin on the laptop can i override that setting? if i remove
>>> the machine from the domain (yes i know what this does to trusts
>>> and domain accounts and it doesn't affect what i need the machine
>>> for) will that automatically remove the policy or would i still
>>> have to do something?
!