Archived from groups: microsoft.public.win2000.group_policy (
More info?)
I tried configuring the firewall with gpmc, but the policies for the
firewall do not seem to work. I have set other policies that work fine, but
the policy for the firewall to open an additional port does not work. When I
inspect the registry of a computer that is operating on the domain and under
the policies, I see nothing that shows that the policies are in place. I've
read the tech doc link you provided, but it only explains how it should work
(policies vs preferences). It doesn't explain why it doesn't work for the
ports I have tried to open. While investigating this I found that if I
manually add a port to this link:
hklm\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
Then of course it works ( a workstation preference), but when the policy is
set, there are no additions to this link. While trying to figure out why I
discovered that the system.adm template actually edits this link:
hklm\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List'
This link does not exist in my workstation registries - there is no
"WindowsFirewall" key anywhere.
Maybe this means that the group policy engine on the client side is not
processing policies for additional firewall ports correctly. Has anyone
else set a policy to add an additional port to the XP SP2 firewall?
I'm using a W2K3 DC with SP1, and XP SP2. I also use GPMC SP1.
TIA
Pat.
"VMM" <VMM@discussions.microsoft.com> wrote in message
news:A7D54D51-EC9B-4CD9-9FB4-3E780AFBA1A0@microsoft.com...
> Hello Pat,
>
> There is nothing wrong with your system.adm nor needs updating. You could
> configure firewall exceptions thru your Administrative Template.
> He will be more explicit if you read the text below.
>
> "True Policies and Preferences
> The Administrative Templates CSE has control over a part of the registry
> for
> both user and computer registry hives and treats these specially. These
> parts
> are for the computer and user hives respectively:
>
> . HKEY_LOCAL_MACHINE\SOFTWARE\policies (preferred location)
>
> . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
>
> . HKEY_CURRENT_USER\SOFTWARE\policies (preferred location)
>
> . HKEY_ CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
>
>
> These trees cannot be modified by a non-administrator. Because all keys
> and
> values beneath these paths are erased before applying the resultant
> registry
> policy settings, the registry policies applied in these subtrees will only
> persist as long as a valid Group Policy setting exists. Policy settings
> that
> are stored in these specific locations of the registry are known as true
> policies.
>
> All the policy settings in the standard Administrative Template files that
> shipped with Windows 2000 Server and Windows Server 2003 use true
> policies.
> This prevents the behavior that was often present in Windows NT 4.0,
> whereby
> System Policies resulted in persistent settings in the user and computer
> registry. The policy remained in effect until the value was reversed,
> either
> by a counteracting policy or by editing the registry. These settings are
> stored outside the approved registry locations listed and are known as
> preferences."
>
> You can read more at
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/74635e11-a0e2-42e0-b3c6-a5ccbc43c931.mspx
>
> Regards,