Disable/Ament XP Firewall using W2K DC Active Directory

[Bigtm]

Hello, I need to temporarily disable the built in Firewall on all my XP workstations(500) in order to remotely install the latest version of Sophos AV on all domain PC's remotely. Idealy instead of disabling I would like to open certain ports to facilitate the update from the comfort of my desk. At present our AD is running on a W2K DC.

If I download the latest ADM's from microsoft will it include setting for the XP firewall?

Any suggestions as to the best way to tackle this would be most appreciated.

Many Thanks,
BigTM.

 

[porkchopexpress]

An XP SP2 station 'should' have the latest ADM's in C:\WINDOWS\inf, i would recommend doing your second suggestion of opening the ports.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngdepgp.mspx#EJDAC

 

[Bigtm]

Thanks for the reply. Can I take adm's from an XP workstation and import them to a W2K server? I want to use Active Directory to open the ports or worst case disable the firewall.

BigTM.

 

[porkchopexpress]

If you run the admintools on an XP SP2 workstation then the ADM will be replicated to the DC, or you can copy it to the inf folder on the 2K DC.
Remember to read the link i posted as there is a hotfix that you need to apply to 2k machines or you get loads of error messages (nothing serious it just can't read all of the formatting).

 

[Bigtm]

Thank you again. I assume I need to run the W2K hotfix on all 3 DC's on the domain? Once the hotfix is applied could I just copy the XP SP2 adm files on to the DC? Is it that simple or should I update the DC from and XP workstation. Could you elaborate on the Admin tools to be used on the XP workstation to replicate the ADM's to the DC's

Thanks for all the help.

BigTM.

 

[porkchopexpress]

Yes run the fix on the DC's.

Once it's applied you can copy the file but backup the old system.adm first then:

To upgrade the system.adm file on the Windows 2000 server where the new GPO is being created for Windows XP clients, follow these steps.

1. On the Windows 2000 server where the new GPO will be created for Windows XP clients, browse to a Windows XP client’s c$ shared directory and navigate to the %systemroot%\INF folder.

2. Within the INF folder currently opened, select and copy the system.adm file

3. Open the %systemroot%\INF folder on the server you are working from and paste the system.adm file into the root of the local INF folder

4. In the Confirm Replace File dialog box, click YES

5. Close all open dialog boxes

 

[porkchopexpress]

If you want to read about managing 2000 Active Directory from XP PC's look here.

http://www.petri.co.il/administer_windows_2000_2003_domain_from_windows_xp.htm

Hope that helps.

 

[Bigtm]

This is a great help. I'll give it a shot this week.

BigTM.

 

[Bigtm]

Sorry, I just had a thought. If I replace the the System.adm file on the DC's what will that do to the existing GPO's on the domain? I assume all setting are identical and new entries were added as newer OS's appeared on the market.

In other words, Will the GPO's already active on the W2K server DC's continue to serve users or will I need to start again once the newer system.ini is copied into the inf folder on the DC's.

Many Thanks,
BigTM.

 

[porkchopexpress]

The newer system.adm has an increased set of features but all of the previous settings should exist so it won't affect your old GPO's. I think they're then updated next time you open one to alter it, i've never had any problems with this.

 

[porkchopexpress]

If you're unsure then you could try it on a test box first, if you don't have the spare hardware then virtual server is now free so you could try it on one box.

http://www.microsoft.com/windowsserversystem/virtualserver/software/default.mspx

 

[SquaredNull]

You surely can use Windows Firewall security policy located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall within the Administrative template as noted above. But with your task when you need just to set a rule to temporary disable Windows Firewall on client computers and propagate these settings on all your computers within the domain, I guess the best way would be to use management tools. For example in Desktop Authority we here use as our base management tool in can be done almost in a second. I just set the startup mode of Windows Firewall to disabled, save settings and propagate it on all affected computers. It's very effective when working with temporary tasks because I can apply changes immediately and set them return back on user log off on when they will log on to domain next time. It surely also supports administrative templates so it's possible to combine the effect.

 

[porkchopexpress]

I think Bigtm was trying to open ports on the stations rather than disable the service, as their .adm was an old version the option wasn't available in the policy.