XP SP2 Firewall selects Standard profile when computer is properly connected to domain network

We are rolling out about 180 new IBM ThinkPad R51 laptops with XP SP2
installed. These are all joining the domain and receiving the Group
Policies correctly. I know this is the case because:

1. the Firewall settings are exactly what is configured in the Group Policy
I have for the SP2 firewall
2. I get Event Log entries saying the attempt to install SP1 (done on all of
our XP computers via Group Policy) fails as expected
3. other things set by Group Policy are set correctly

However, on at least some of them, the SP2 firewall allways (or at least
nearly always) selects the Standard firewall profile. This means that we
can not remotely administer these computers because, via Group Policy, the
Standard firewall profile has no Exceptions. Occasionally, after a restart
(without moving or disconnecting the network cable), the Domain firewall
profile is selected.

Now, according to
http://www.microsoft.com/technet/com...uy/cg0504.mspx, the
firewall feature determines which profile to use (Standard or Domain) based
on the "Connection specific DNS suffix" and what it was set to when the last
Group Policy updates were received.

I've checked (using ipconfig /all) that the computers selecting the Standard
profile have the exactly the same Connection Specific DNS suffix as those
that are consistently selecting the Domain profile.

All of these computers have been restarted several times while being
connected to the network via Ethernet cable.

I've also (while logged on as an administrator) issued the gpupdate command
to force a Group Policy update (after verifying that the Connection Specific
DNS Suffix is correct), then restarted, but the computer still gets the
Standard firewall profile.

I've tried disconnecting then reconnecting the network cable; issuing
ipconfig /release, ipconfig /renew; without any success.

I've disabled the wireless network adapter (there is no wireless network in
the office) - still get the Standard firewall profile.

I did not encounter this issue when beta testing SP2, nor while I was
testing the firewall Group Policy on the 4 Windows XP SP2 (RTM) computers
(domain members - same domain) at my desk. On these computers, the Domain
Firewall Profile is always selected when the computer is connected to the
office network and the Standard profile when it is not - just as advertised.
If I disconnect the netrwok cable, the profile changes to Standard; when I
plug the network cable back in again, the profile changes back to Domain.

So:

1. what diagnostic tools/logs etc. are available to determine why the
Standard profile is selected incorrectly?
2. is there are fix (or workaround) for this problem?

The new computers were "imaged" from the same copy of the system image
(created via Sysprep and Ghost).
--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.

Bruce

I have the same problem. Did you manage to solve it?

Morgan

"Bruce Sanderson" wrote:


We are rolling out about 180 new IBM ThinkPad R51 laptops with XP SP2
installed. These are all joining the domain and receiving the Group
Policies correctly. I know this is the case because:

1. the Firewall settings are exactly what is configured in the Group Policy
I have for the SP2 firewall
2. I get Event Log entries saying the attempt to install SP1 (done on all of
our XP computers via Group Policy) fails as expected
3. other things set by Group Policy are set correctly

However, on at least some of them, the SP2 firewall allways (or at least
nearly always) selects the Standard firewall profile. This means that we
can not remotely administer these computers because, via Group Policy, the
Standard firewall profile has no Exceptions. Occasionally, after a restart
(without moving or disconnecting the network cable), the Domain firewall
profile is selected.

Now, according to
http://www.microsoft.com/technet/com...uy/cg0504.mspx, the
firewall feature determines which profile to use (Standard or Domain) based
on the "Connection specific DNS suffix" and what it was set to when the last
Group Policy updates were received.

I've checked (using ipconfig /all) that the computers selecting the Standard
profile have the exactly the same Connection Specific DNS suffix as those
that are consistently selecting the Domain profile.

All of these computers have been restarted several times while being
connected to the network via Ethernet cable.

I've also (while logged on as an administrator) issued the gpupdate command
to force a Group Policy update (after verifying that the Connection Specific
DNS Suffix is correct), then restarted, but the computer still gets the
Standard firewall profile.

I've tried disconnecting then reconnecting the network cable; issuing
ipconfig /release, ipconfig /renew; without any success.

I've disabled the wireless network adapter (there is no wireless network in
the office) - still get the Standard firewall profile.

I did not encounter this issue when beta testing SP2, nor while I was
testing the firewall Group Policy on the 4 Windows XP SP2 (RTM) computers
(domain members - same domain) at my desk. On these computers, the Domain
Firewall Profile is always selected when the computer is connected to the
office network and the Standard profile when it is not - just as advertised.
If I disconnect the netrwok cable, the profile changes to Standard; when I
plug the network cable back in again, the profile changes back to Domain.

So:

1. what diagnostic tools/logs etc. are available to determine why the
Standard profile is selected incorrectly?
2. is there are fix (or workaround) for this problem?

The new computers were "imaged" from the same copy of the system image
(created via Sysprep and Ghost).
--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.

Nope: still pursueing.

Is this with IBM Thinkpads or other makes and models of computers also? (At
this time, we only have SP2 on the IBM ThinkPad R51s).

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Morgan Cruse" Morgan wrote in message
...
Bruce

I have the same problem. Did you manage to solve it?

Morgan

"Bruce Sanderson" wrote:


We are rolling out about 180 new IBM ThinkPad R51 laptops with XP SP2
installed. These are all joining the domain and receiving the Group
Policies correctly. I know this is the case because:

1. the Firewall settings are exactly what is configured in the Group
Policy
I have for the SP2 firewall
2. I get Event Log entries saying the attempt to install SP1 (done on all
of
our XP computers via Group Policy) fails as expected
3. other things set by Group Policy are set correctly

However, on at least some of them, the SP2 firewall allways (or at least
nearly always) selects the Standard firewall profile. This means that we
can not remotely administer these computers because, via Group Policy,
the
Standard firewall profile has no Exceptions. Occasionally, after a
restart
(without moving or disconnecting the network cable), the Domain firewall
profile is selected.

Now, according to
http://www.microsoft.com/technet/com...uy/cg0504.mspx,
the
firewall feature determines which profile to use (Standard or Domain)
based
on the "Connection specific DNS suffix" and what it was set to when the
last
Group Policy updates were received.

I've checked (using ipconfig /all) that the computers selecting the
Standard
profile have the exactly the same Connection Specific DNS suffix as those
that are consistently selecting the Domain profile.

All of these computers have been restarted several times while being
connected to the network via Ethernet cable.

I've also (while logged on as an administrator) issued the gpupdate
command
to force a Group Policy update (after verifying that the Connection
Specific
DNS Suffix is correct), then restarted, but the computer still gets the
Standard firewall profile.

I've tried disconnecting then reconnecting the network cable; issuing
ipconfig /release, ipconfig /renew; without any success.

I've disabled the wireless network adapter (there is no wireless network
in
the office) - still get the Standard firewall profile.

I did not encounter this issue when beta testing SP2, nor while I was
testing the firewall Group Policy on the 4 Windows XP SP2 (RTM) computers
(domain members - same domain) at my desk. On these computers, the
Domain
Firewall Profile is always selected when the computer is connected to the
office network and the Standard profile when it is not - just as
advertised.
If I disconnect the netrwok cable, the profile changes to Standard; when
I
plug the network cable back in again, the profile changes back to Domain.

So:

1. what diagnostic tools/logs etc. are available to determine why the
Standard profile is selected incorrectly?
2. is there are fix (or workaround) for this problem?

The new computers were "imaged" from the same copy of the system image
(created via Sysprep and Ghost).
--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.

No, it's another make: a local manufacturer using standard parts.

However, I haven't observed the problem in a while now.

"Bruce Sanderson" wrote:

Nope: still pursueing.

Is this with IBM Thinkpads or other makes and models of computers also? (At
this time, we only have SP2 on the IBM ThinkPad R51s).

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Morgan Cruse" Morgan wrote in message
...
Bruce

I have the same problem. Did you manage to solve it?

Morgan

"Bruce Sanderson" wrote:


We are rolling out about 180 new IBM ThinkPad R51 laptops with XP SP2
installed. These are all joining the domain and receiving the Group
Policies correctly. I know this is the case because:

1. the Firewall settings are exactly what is configured in the Group
Policy
I have for the SP2 firewall
2. I get Event Log entries saying the attempt to install SP1 (done on all
of
our XP computers via Group Policy) fails as expected
3. other things set by Group Policy are set correctly

However, on at least some of them, the SP2 firewall allways (or at least
nearly always) selects the Standard firewall profile. This means that we
can not remotely administer these computers because, via Group Policy,
the
Standard firewall profile has no Exceptions. Occasionally, after a
restart
(without moving or disconnecting the network cable), the Domain firewall
profile is selected.

Now, according to
http://www.microsoft.com/technet/com...uy/cg0504.mspx,
the
firewall feature determines which profile to use (Standard or Domain)
based
on the "Connection specific DNS suffix" and what it was set to when the
last
Group Policy updates were received.

I've checked (using ipconfig /all) that the computers selecting the
Standard
profile have the exactly the same Connection Specific DNS suffix as those
that are consistently selecting the Domain profile.

All of these computers have been restarted several times while being
connected to the network via Ethernet cable.

I've also (while logged on as an administrator) issued the gpupdate
command
to force a Group Policy update (after verifying that the Connection
Specific
DNS Suffix is correct), then restarted, but the computer still gets the
Standard firewall profile.

I've tried disconnecting then reconnecting the network cable; issuing
ipconfig /release, ipconfig /renew; without any success.

I've disabled the wireless network adapter (there is no wireless network
in
the office) - still get the Standard firewall profile.

I did not encounter this issue when beta testing SP2, nor while I was
testing the firewall Group Policy on the 4 Windows XP SP2 (RTM) computers
(domain members - same domain) at my desk. On these computers, the
Domain
Firewall Profile is always selected when the computer is connected to the
office network and the Standard profile when it is not - just as
advertised.
If I disconnect the netrwok cable, the profile changes to Standard; when
I
plug the network cable back in again, the profile changes back to Domain.

So:

1. what diagnostic tools/logs etc. are available to determine why the
Standard profile is selected incorrectly?
2. is there are fix (or workaround) for this problem?

The new computers were "imaged" from the same copy of the system image
(created via Sysprep and Ghost).
--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.