GPO not taking effect

[itchibahn]

I've inherited a network running WinSvr 2003 R2 Standard SP2 with several XP Pro SP2 machines.

I been trying to use the VNC to connect to workstations from the server, but it won't connect. So I added exception at local computer firewall setting, but noticed the workstations firewall are disabled and controlled by Group Policy.

So I configured the default domain policy from the server to allow a VNC port, then forced it to take effect, but it doesn't seem to work:

Group Policy Object Editor -> Default Domain Controller Policy -> Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile, then enabled "Windows Firewall: Allow Local Port Exceptions" and "Windows Firewall: Define Port Exceptions" with "5500:TCP:*:enabled:VNC"

I'm somewhat new to GPO, help would be greatly appreciated...

 

[Roadki11]

Not sure what flavor of VNC you are using but the ones I have used use TCP ports 5900 when using the client and 5800 when using a browser by default.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[itchibahn]

Yes, that's the default settings, but I deter from defaults to avoid exploitation. But resetting to default is not helping in my situation.

I've wiped and reinstalled OS on one of the workstation, and everything works on it even without the GPO. But don't want to do that to remaining 18 workstations.

 

[TheRogueWolf]

If you run 'gpresult' from a command prompt on one of the clients does it show the default domain policy applying to that machine?

 

[itchibahn]

Yes, seems default is being applied:

COMPUTER SETTINGS
------------------
CN=OP01,CN=Computers,DC=cfd,DC=local
Last time Group Policy was applied: 7/26/2010 at 4:33:27 PM
Group Policy was applied from: server.cfd.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy
WSUS
Firewall-Disable

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
OP01$
Domain Computers


USER SETTINGS
--------------
CN=user,CN=Users,DC=cfd,DC=local
Last time Group Policy was applied: 7/26/2010 at 4:48:05 PM
Group Policy was applied from: server.cfd.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
WSUS
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

Firewall-Disable
Filtering: Not Applied (Empty)

 

[itchibahn]

Thanks for the link, unfortunately, using it's instructions, I'm getting "RPC Server is unavailable" no matter which machine or user. For now, I'm getting the gpupdate info from each workstations and seems they all are getting GP updated.

Funny thing is, I disable all GPO from the server, and the still can't connect. I've verified the gpupdate that no GPO were being loaded on the workstation. This is driving nuts. Perhaps registry corruption or some sort...

Since one of the workstation that has been wiped and reinstalled OS, works fine, I guess, I'm gonna have to wipe&reinstall one workstation at a time...