Group Policy and Remote Assistant

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We want to enable Remote Assistant on our XP machines, but don't want to
over-write existing local firewall settings, just add to them to allow
remote assistance. We tried to set a group policy domain wide to allow
remote assistant and it worked, but also over-wrote all local settings for
the firewall, which means no additions can be made by the user. Since we
have people that require different firewall ports because of specific
applications, we just want to add the port locally. Any ideas of how to do
this other than selecting all of the ports on campus required and putting it
into a group policy? Note: We just want to add to the local firewall
settings so none are over-writtten.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

In the your GPO, set:

Computer Configuration
Administrative Templates
Network
Network Connections
Windows Firewall
[Domain|Standard] Profile
Windows Firewall: Allow local program exceptions: Enabled
Windows Firewall: Allow local port exceptions: Enabled

Any locally set exceptions will then stay in place and be honoured.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Mark B." <katzsteel@hotmail.com> wrote in message
news:eSNMkx7DFHA.2756@TK2MSFTNGP15.phx.gbl...
> We want to enable Remote Assistant on our XP machines, but don't want to
> over-write existing local firewall settings, just add to them to allow
> remote assistance. We tried to set a group policy domain wide to allow
> remote assistant and it worked, but also over-wrote all local settings for
> the firewall, which means no additions can be made by the user. Since we
> have people that require different firewall ports because of specific
> applications, we just want to add the port locally. Any ideas of how to
> do this other than selecting all of the ports on campus required and
> putting it into a group policy? Note: We just want to add to the local
> firewall settings so none are over-writtten.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have not messed that much with the Group Policy Firewall settings but take
a look at the "Allow local port exceptions" to see if that will do what you
want. I don't know if it will initially override the local defined settings
and then allow users to make exceptions or preserve existing settings. It
would be easy enough to test out. Another possibility is a Group Policy
"startup" script that uses the netsh command to modify the port list such as
the add port option. The links below explain more. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngwfw.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apb.mspx#EFAA
http://www.jsiinc.com/SUBP/tip7900/rh7908.htm

"Mark B." <katzsteel@hotmail.com> wrote in message
news:eSNMkx7DFHA.2756@TK2MSFTNGP15.phx.gbl...
> We want to enable Remote Assistant on our XP machines, but don't want to
> over-write existing local firewall settings, just add to them to allow
> remote assistance. We tried to set a group policy domain wide to allow
> remote assistant and it worked, but also over-wrote all local settings for
> the firewall, which means no additions can be made by the user. Since we
> have people that require different firewall ports because of specific
> applications, we just want to add the port locally. Any ideas of how to
> do this other than selecting all of the ports on campus required and
> putting it into a group policy? Note: We just want to add to the local
> firewall settings so none are over-writtten.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Mark,

Thanks for Steven's suggestions.

You may also check the following registry key directly.

The domain applied ports are applied here:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter
s\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

For example, if we want to open port TCP 3389, a line will be:

"3389:TCP"="3389:TCP:*:Enabledxpsp2res.dll,-22009"

You may configure it on a machine and check it in the registry for what
ever you want to apply.

Export that registry file and remove all the other lines related to other
ports.

Just leave the port you want to deploy.

Add the line like below to the machine log on script.

regedit -s \\server\share\Enable_TCP_3389.reg

HTH.

Best Regards,

Jeff Qiu
Microsoft Online Partner Support
MCSE 2k/2k3, MCSA 2k/2k3, MCDBA
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>From: "Mark B." <katzsteel@hotmail.com>
>Subject: Group Policy and Remote Assistant
>Date: Thu, 10 Feb 2005 16:03:43 -0600
>microsoft.public.win2000.group_policy
>
>We want to enable Remote Assistant on our XP machines, but don't want to
>over-write existing local firewall settings, just add to them to allow
>remote assistance. We tried to set a group policy domain wide to allow
>remote assistant and it worked, but also over-wrote all local settings for
>the firewall, which means no additions can be made by the user. Since we
>have people that require different firewall ports because of specific
>applications, we just want to add the port locally. Any ideas of how to
do
>this other than selecting all of the ports on campus required and putting
it
>into a group policy? Note: We just want to add to the local firewall
>settings so none are over-writtten.
>
>
>