I am trying to configure the firewall on an XP SP2 box via domain group
policy, but the workstation stoutly ignores the domain GP firewall settings.
The settings are transferred to the workstation registry OK, but the
workstation ignores them and uses its own local default settings. When I
look at the firewall settings, it says "Windows Firewall is using your
non-domain settings". The settings the firewall is using are in a different
part of the registry to the domain settings.

Group policy keys (ignored)
HKLM\Software\Policies\Microsoft\WindowsFirewall

Local firewall settings (used)
HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy

What is going on? Is there a group policy instruction to switch that I have
missed out?

Mike P. wrote:

> I am trying to configure the firewall on an XP SP2 box via domain group
> policy, but the workstation stoutly ignores the domain GP firewall settings.
> The settings are transferred to the workstation registry OK, but the
> workstation ignores them and uses its own local default settings. When I
> look at the firewall settings, it says "Windows Firewall is using your
> non-domain settings". The settings the firewall is using are in a different
> part of the registry to the domain settings.
>
> Group policy keys (ignored)
> HKLM\Software\Policies\Microsoft\WindowsFirewall
>
> Local firewall settings (used)
> HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy
>
> What is going on? Is there a group policy instruction to switch that I have
> missed out?
Hi

Most likely because the last-received Group Policy update DNS name
does not match any of the connection-specific DNS suffixes of the
currently connected connections on the computer. In this case, the
non-domain settings will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the article for more about this.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

I've run into a situation where the NetworkName key was blank. This is
on a computer that is a domain member with DHCP option specified.
Identical machines have this value filled in, but for some reason this
machine did not. Manually updating the key and rebooting fixed the
issue, but any idea what would cause a blank entry?