| Author | Messages | |
sekinj
Posts:7
 | | 04/02/2010 5:13 PM |
| Hey guys!
I have one user that I want to disable the windows firewall on. I have
created an OU under my domain and put this user in that OU. I then
applied a new group policy that disables the windows firewall to that
OU. I checked the box to Block Inheritance. It was working fine the
day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user?
Or why the default domain is being so persistant? Or even some other
way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
| | | |
| jeromelcruz
Posts:120
| | 04/02/2010 5:49 PM |
| Run an RSoP.msc report to see if it still is receiving the OU level policy.
Also, double-check that the device/user account has not been moved to another OU.
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have created an OU under my domain and put this user in that OU. I then applied a new group policy that disables the windows firewall to that OU. I checked the box to Block Inheritance. It was working fine the day I made it, and anyone logging in with that username had their windows firewall disabled. However, overnight AD decided to help me out, and now suddenly the default domain policy is in effect for that user which has the windows firewall Enabled. I have checked the Default Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user? Or why the default domain is being so persistant? Or even some other way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
Thank you.
-----------------------------------------
| | | |
| sekinj
Posts:7
| | 04/02/2010 6:09 PM |
| I ran rsop.msc and that login is definitely receiving the default domain
policy and NOT the OU level policy it is supposed to be getting.
The user has not been moved to another OU. It is in the OU (called
EXCEPTIONS) that I created it in and applied my NOFIREWALL Policy to.
Somehow the Domain policy is still overriding it.
-SG
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Run an RSoP.msc report to see if it still is receiving the OU level
policy.
Also, double-check that the device/user account has not been moved to
another OU.
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have
created an OU under my domain and put this user in that OU. I then
applied a new group policy that disables the windows firewall to that
OU. I checked the box to Block Inheritance. It was working fine the
day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user?
Or why the default domain is being so persistant? Or even some other
way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
| | | |
| jeromelcruz
Posts:120
| | 04/02/2010 6:11 PM |
| What is the exact setting you are configuring?
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I ran rsop.msc and that login is definitely receiving the default domain policy and NOT the OU level policy it is supposed to be getting.
The user has not been moved to another OU. It is in the OU (called EXCEPTIONS) that I created it in and applied my NOFIREWALL Policy to.
Somehow the Domain policy is still overriding it.
-SG
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Run an RSoP.msc report to see if it still is receiving the OU level policy.
Also, double-check that the device/user account has not been moved to another OU.
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have created an OU under my domain and put this user in that OU. I then applied a new group policy that disables the windows firewall to that OU. I checked the box to Block Inheritance. It was working fine the day I made it, and anyone logging in with that username had their windows firewall disabled. However, overnight AD decided to help me out, and now suddenly the default domain policy is in effect for that user which has the windows firewall Enabled. I have checked the Default Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user? Or why the default domain is being so persistant? Or even some other way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
Thank you.
-----------------------------------------
--
Attention:
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
Thank you.
-----------------------------------------
| | | |
| sekinj
Posts:7
| | 04/02/2010 6:19 PM |
| I covered this in my first email. The windows firewall. I want one user
to have it disabled and the rest to have it enabled.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 11:14 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
What is the exact setting you are configuring?
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I ran rsop.msc and that login is definitely receiving the default domain
policy and NOT the OU level policy it is supposed to be getting.
The user has not been moved to another OU. It is in the OU (called
EXCEPTIONS) that I created it in and applied my NOFIREWALL Policy to.
Somehow the Domain policy is still overriding it.
-SG
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Run an RSoP.msc report to see if it still is receiving the OU level
policy.
Also, double-check that the device/user account has not been moved to
another OU.
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have
created an OU under my domain and put this user in that OU. I then
applied a new group policy that disables the windows firewall to that
OU. I checked the box to Block Inheritance. It was working fine the
day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user?
Or why the default domain is being so persistant? Or even some other
way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
| | | |
| jeromelcruz
Posts:120
| | 04/02/2010 6:44 PM |
| << I have created an OU under my domain and put this user in that OU. I then applied a new group policy that disables the windows firewall to that OU. I checked the box to Block Inheritance. It was working fine the day I made it, and anyone logging in with that username had their windows firewall disabled. However, overnight AD decided to help me out, and now suddenly the default domain policy is in effect for that user which has the windows firewall Enabled. I have checked the Default Domain and it DOES NOT have No Override selected. >>
Let me explain. Windows Firewall settings are essentially 'Computer Configuration' settings. As such, targeting an OU only containing a 'user' account will not work because the 'user' account does not process 'computer' policy settings. I know that doesn't explain why it 'appeared' to work at first (perhaps it was set manually to begin with?). However, this does explain why background policy refreshes overnight (or the morning reboot) would have reapplied the Default Domain Policy setting and re-engaged the firewall.
While the OU with the 'user' account in it has Inheritance Blocking turned on, that only blocks GPOs from parent OUs with 'user' settings in them (and by the way, it's not a good idea to block your domain root level Account Policy settings from user account). Anyway, the machine account continues to get the Windows Firewall settings and that is turning it back on.
Possible work-around. If this device can be dedicated to the user in question and if that user only requires use of this one device (doesn't expect to log onto other devices and have the Windows Firewall switched off), then you can move the machine account into that OU and target the GPO at that device to override the setting in the Default Domain Policy (and there's no requirement for blocking policy inheritance).
If you can't dedicate the device to the user (other users log on), then here are the options as I see it:
* Accept the risk of 'no firewall' for this one device.
* Make the user in question an Administrator on the device and provide them a script to disable the firewall on-the-fly (however, that might only work until GPOS refresh and turn it back on..which means re-running the script again). And provide them a script they can run before they logoff to restore the firewall operations. If the user was an admin, you might be able to create a GPO based user logon and user logoff script, but the script would have to have controls to limit use by that user account only and operate only on specific devices.
* Creating some kind of always running application that would monitor for this particular user's logon on and which can disable the firewall when they do log on and restore it after they logoff (obviously this is a non-trivial work-around).
There may be other options... (anyone out there have some)?
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:17 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I covered this in my first email. The windows firewall. I want one user to have it disabled and the rest to have it enabled.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 11:14 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
What is the exact setting you are configuring?
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I ran rsop.msc and that login is definitely receiving the default domain policy and NOT the OU level policy it is supposed to be getting.
The user has not been moved to another OU. It is in the OU (called EXCEPTIONS) that I created it in and applied my NOFIREWALL Policy to.
Somehow the Domain policy is still overriding it.
-SG
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Run an RSoP.msc report to see if it still is receiving the OU level policy.
Also, double-check that the device/user account has not been moved to another OU.
Jerry
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have created an OU under my domain and put this user in that OU. I then applied a new group policy that disables the windows firewall to that OU. I checked the box to Block Inheritance. It was working fine the day I made it, and anyone logging in with that username had their windows firewall disabled. However, overnight AD decided to help me out, and now suddenly the default domain policy is in effect for that user which has the windows firewall Enabled. I have checked the Default Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user? Or why the default domain is being so persistant? Or even some other way to just disable the windows firewall for just one user?
Thanks!
-SG
| | | |
| sekinj
Posts:7
| | 04/02/2010 6:44 PM |
| Excellent! The good news is that I can dedicate this one user to this
one machine. So I think putting that machine in the OU I made will
work. I will try that and get back to you.
THANK YOU!
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 11:48 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
<< I have created an OU under my domain and put this user in that OU. I
then applied a new group policy that disables the windows firewall to
that OU. I checked the box to Block Inheritance. It was working fine
the day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected. >>
Let me explain. Windows Firewall settings are essentially 'Computer
Configuration' settings. As such, targeting an OU only containing a
'user' account will not work because the 'user' account does not process
'computer' policy settings. I know that doesn't explain why it
'appeared' to work at first (perhaps it was set manually to begin
with?). However, this does explain why background policy refreshes
overnight (or the morning reboot) would have reapplied the Default
Domain Policy setting and re-engaged the firewall.
While the OU with the 'user' account in it has Inheritance Blocking
turned on, that only blocks GPOs from parent OUs with 'user' settings in
them (and by the way, it's not a good idea to block your domain root
level Account Policy settings from user account). Anyway, the machine
account continues to get the Windows Firewall settings and that is
turning it back on.
Possible work-around. If this device can be dedicated to the user in
question and if that user only requires use of this one device (doesn't
expect to log onto other devices and have the Windows Firewall switched
off), then you can move the machine account into that OU and target the
GPO at that device to override the setting in the Default Domain Policy
(and there's no requirement for blocking policy inheritance).
If you can't dedicate the device to the user (other users log on), then
here are the options as I see it:
* Accept the risk of 'no firewall' for this one device.
* Make the user in question an Administrator on the device and
provide them a script to disable the firewall on-the-fly (however, that
might only work until GPOS refresh and turn it back on..which means
re-running the script again). And provide them a script they can run
before they logoff to restore the firewall operations. If the user was
an admin, you might be able to create a GPO based user logon and user
logoff script, but the script would have to have controls to limit use
by that user account only and operate only on specific devices.
* Creating some kind of always running application that would
monitor for this particular user's logon on and which can disable the
firewall when they do log on and restore it after they logoff (obviously
this is a non-trivial work-around).
There may be other options... (anyone out there have some)?
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:17 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I covered this in my first email. The windows firewall. I want one user
to have it disabled and the rest to have it enabled.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 11:14 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
What is the exact setting you are configuring?
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I ran rsop.msc and that login is definitely receiving the default domain
policy and NOT the OU level policy it is supposed to be getting.
The user has not been moved to another OU. It is in the OU (called
EXCEPTIONS) that I created it in and applied my NOFIREWALL Policy to.
Somehow the Domain policy is still overriding it.
-SG
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Run an RSoP.msc report to see if it still is receiving the OU level
policy.
Also, double-check that the device/user account has not been moved to
another OU.
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have
created an OU under my domain and put this user in that OU. I then
applied a new group policy that disables the windows firewall to that
OU. I checked the box to Block Inheritance. It was working fine the
day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user?
Or why the default domain is being so persistant? Or even some other
way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
| | | |
| sekinj
Posts:7
| | 04/02/2010 7:03 PM |
| Thanks again Jerome! That worked great!!
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 11:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Excellent! The good news is that I can dedicate this one user to this
one machine. So I think putting that machine in the OU I made will
work. I will try that and get back to you.
THANK YOU!
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 11:48 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
<< I have created an OU under my domain and put this user in that OU. I
then applied a new group policy that disables the windows firewall to
that OU. I checked the box to Block Inheritance. It was working fine
the day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected. >>
Let me explain. Windows Firewall settings are essentially 'Computer
Configuration' settings. As such, targeting an OU only containing a
'user' account will not work because the 'user' account does not process
'computer' policy settings. I know that doesn't explain why it
'appeared' to work at first (perhaps it was set manually to begin
with?). However, this does explain why background policy refreshes
overnight (or the morning reboot) would have reapplied the Default
Domain Policy setting and re-engaged the firewall.
While the OU with the 'user' account in it has Inheritance Blocking
turned on, that only blocks GPOs from parent OUs with 'user' settings in
them (and by the way, it's not a good idea to block your domain root
level Account Policy settings from user account). Anyway, the machine
account continues to get the Windows Firewall settings and that is
turning it back on.
Possible work-around. If this device can be dedicated to the user in
question and if that user only requires use of this one device (doesn't
expect to log onto other devices and have the Windows Firewall switched
off), then you can move the machine account into that OU and target the
GPO at that device to override the setting in the Default Domain Policy
(and there's no requirement for blocking policy inheritance).
If you can't dedicate the device to the user (other users log on), then
here are the options as I see it:
* Accept the risk of 'no firewall' for this one device.
* Make the user in question an Administrator on the device and
provide them a script to disable the firewall on-the-fly (however, that
might only work until GPOS refresh and turn it back on..which means
re-running the script again). And provide them a script they can run
before they logoff to restore the firewall operations. If the user was
an admin, you might be able to create a GPO based user logon and user
logoff script, but the script would have to have controls to limit use
by that user account only and operate only on specific devices.
* Creating some kind of always running application that would
monitor for this particular user's logon on and which can disable the
firewall when they do log on and restore it after they logoff (obviously
this is a non-trivial work-around).
There may be other options... (anyone out there have some)?
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:17 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I covered this in my first email. The windows firewall. I want one user
to have it disabled and the rest to have it enabled.
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 11:14 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
What is the exact setting you are configuring?
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 9:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
I ran rsop.msc and that login is definitely receiving the default domain
policy and NOT the OU level policy it is supposed to be getting.
The user has not been moved to another OU. It is in the OU (called
EXCEPTIONS) that I created it in and applied my NOFIREWALL Policy to.
Somehow the Domain policy is still overriding it.
-SG
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, April 02, 2010 10:59 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] apply GPO to one user?
Run an RSoP.msc report to see if it still is receiving the OU level
policy.
Also, double-check that the device/user account has not been moved to
another OU.
Jerry
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Savanah Garrison
Sent: Friday, April 02, 2010 8:19 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] apply GPO to one user?
Hey guys!
I have one user that I want to disable the windows firewall on. I have
created an OU under my domain and put this user in that OU. I then
applied a new group policy that disables the windows firewall to that
OU. I checked the box to Block Inheritance. It was working fine the
day I made it, and anyone logging in with that username had their
windows firewall disabled. However, overnight AD decided to help me
out, and now suddenly the default domain policy is in effect for that
user which has the windows firewall Enabled. I have checked the Default
Domain and it DOES NOT have No Override selected.
Anyone know how I can effectively apply my gpo to just that one user?
Or why the default domain is being so persistant? Or even some other
way to just disable the windows firewall for just one user?
Thanks!
-SG
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
--
Attention:
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact
the sender and delete the material from any system and destroy any
copies.
Thank you.
-----------------------------------------
| | | |
|
|