Firewall Mysteriously Turning On After Enabling DHCP - XP SP3

When trying to change corporate PCs from static assignments to DHCP, I
am getting all sorts of results (I inherited this situation). The
oddest and most frequent one I am running into is that the firewall is
turning on -- not good.

The PCs do not have admin rights, and many a GPO is applied (I can not
find anything in the policies that would cause this)


Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set address
name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns name=
\"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Rico wrote:
When trying to change corporate PCs from static assignments to DHCP, I
am getting all sorts of results (I inherited this situation). The
oddest and most frequent one I am running into is that the firewall is
turning on -- not good.

I must beg to differ there. You should have the firewall enabled on your
clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can not
find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set address
name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Rico wrote:
When trying to change corporate PCs from static assignments to DHCP, I
am getting all sorts of results (I inherited this situation). The
oddest and most frequent one I am running into is that the firewall is
turning on -- not good.

I must beg to differ there. You should have the firewall enabled on your
clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can not
find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set address
name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Yes. Only thing I see relevant is that we have disabled user access to
network settings and firewall disabled.

After turning on DHCP, the firewall enables itself. Note that by doing
this, GP is not updated anyway.

If we rebooted (or anything that would do a GPupdate) I'm certain that the
firewall would turn off, as GP forces that. Problem is, the next command I
want to run is setting DNS remotely, which I can't do once the FW
mysteriously turns itself on. BTW, and as USUAL, I can not find anything in
the event log pertinent.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to DHCP, I
am getting all sorts of results (I inherited this situation). The
oddest and most frequent one I am running into is that the firewall is
turning on -- not good.

I must beg to differ there. You should have the firewall enabled on your
clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can not
find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set address
name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Yes. Only thing I see relevant is that we have disabled user access to
network settings and firewall disabled.

After turning on DHCP, the firewall enables itself. Note that by doing
this, GP is not updated anyway.

If we rebooted (or anything that would do a GPupdate) I'm certain that the
firewall would turn off, as GP forces that. Problem is, the next command I
want to run is setting DNS remotely, which I can't do once the FW
mysteriously turns itself on. BTW, and as USUAL, I can not find anything in
the event log pertinent.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to DHCP, I
am getting all sorts of results (I inherited this situation). The
oddest and most frequent one I am running into is that the firewall is
turning on -- not good.

I must beg to differ there. You should have the firewall enabled on your
clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can not
find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set address
name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is, the
next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need to do
this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is, the
next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need to do
this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Really don't expect much with questions being asked/answered. (Especially
since I'm trying to avoid re-writing War And Peace. Nobody wants to see the
level of detail I've spent on this.) Was hoping that somebody ran into this
themselves -- and corrected it.

Thanks for your stab at it.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is, the
next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need to do
this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Really don't expect much with questions being asked/answered. (Especially
since I'm trying to avoid re-writing War And Peace. Nobody wants to see the
level of detail I've spent on this.) Was hoping that somebody ran into this
themselves -- and corrected it.

Thanks for your stab at it.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is, the
next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need to do
this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I have
tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Rico wrote:
Really don't expect much with questions being asked/answered.
(Especially since I'm trying to avoid re-writing War And Peace.
Nobody wants to see the level of detail I've spent on this.) Was
hoping that somebody ran into this themselves -- and corrected it.

Thanks for your stab at it.

Sure. Sorry I wasn't more help. I leave the firewall enabled in all my
networks, and I always set up the clients to use DHCP, so I haven't run into
this personally. Good luck.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is,
the next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group
policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need
to do this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I
have tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Rico wrote:
Really don't expect much with questions being asked/answered.
(Especially since I'm trying to avoid re-writing War And Peace.
Nobody wants to see the level of detail I've spent on this.) Was
hoping that somebody ran into this themselves -- and corrected it.

Thanks for your stab at it.

Sure. Sorry I wasn't more help. I leave the firewall enabled in all my
networks, and I always set up the clients to use DHCP, so I haven't run into
this personally. Good luck.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is,
the next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group
policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need
to do this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I
have tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Remember that I inherited this ... trying to get best - or better -
practice implemented.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Really don't expect much with questions being asked/answered.
(Especially since I'm trying to avoid re-writing War And Peace.
Nobody wants to see the level of detail I've spent on this.) Was
hoping that somebody ran into this themselves -- and corrected it.

Thanks for your stab at it.

Sure. Sorry I wasn't more help. I leave the firewall enabled in all my
networks, and I always set up the clients to use DHCP, so I haven't run into
this personally. Good luck.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is,
the next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group
policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need
to do this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I
have tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?

Remember that I inherited this ... trying to get best - or better -
practice implemented.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Really don't expect much with questions being asked/answered.
(Especially since I'm trying to avoid re-writing War And Peace.
Nobody wants to see the level of detail I've spent on this.) Was
hoping that somebody ran into this themselves -- and corrected it.

Thanks for your stab at it.

Sure. Sorry I wasn't more help. I leave the firewall enabled in all my
networks, and I always set up the clients to use DHCP, so I haven't run into
this personally. Good luck.

"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
Yes. Only thing I see relevant is that we have disabled user access
to network settings and firewall disabled.

No user has access to that by default.

After turning on DHCP, the firewall enables itself. Note that by
doing this, GP is not updated anyway.

I don't follow, sorry -

If we rebooted (or anything that would do a GPupdate) I'm certain
that the firewall would turn off, as GP forces that. Problem is,
the next command I want to run is setting DNS remotely,

Isn't your DHCP setting doing that (as per the psexec command)?

which I can't do
once the FW mysteriously turns itself on.

Sure you can. You can manage your firewall exceptions via group
policy.

BTW, and as USUAL, I can
not find anything in the event log pertinent.

I'm sorry I have no more suggestions. How many machines do you need
to do this on?


"Lanwench [MVP - Exchange]" wrote:

Rico wrote:
When trying to change corporate PCs from static assignments to
DHCP, I am getting all sorts of results (I inherited this
situation). The oddest and most frequent one I am running into is
that the firewall is turning on -- not good.

I must beg to differ there. You should have the firewall enabled on
your clients. Set exceptions via group policy.

The PCs do not have admin rights, and many a GPO is applied (I can
not find anything in the policies that would cause this)
Since PCs do not have admin rights, here are the two methods I
have tried to change IP from static to DHCP (inc. DNS server
assignments):


Method 1 -- PSEXEC
psexec \\PCNAME -s netsh interface ip set address name="Local Area
Connection" source=dhcp
psexec \\PCNAME -s netsh interface ip set dns name="Local Area
Connection" source=dhcp
--note: a "psexec \\rad03 -s netsh firewall set opmode disable"
issued prior to does not help


Method 2 -- For Giggles, Remote Control & RUNAS
Dameware to PC, then:
runas /env /user:administrator@domain "netsh interface ip set
address name=\"Local Area Connection\" source=dhcp"
runas /env /user:administrator@domain "netsh interface ip set dns
name= \"Local Area Connection\" source=dhcp"


I've tried various VB scripts also -- to no avail.


Summary, the DHCP command typically "takes" and the PC will get an
assignment from DHCP -- BUT the firewall will turn on.


This is driving me insane. Chicken dinner to the winner.


Thanks.

Did you try running an rsop.msc on an affected client?