Port 445 blocked by Group Policy

group-policywindows-server-2008-r2

I have managed to block port 445 in the windows firewall using Group Policy, now the server that has this GPO applied is unable to read further GPO updates from the domain controller.

Is there any way to fix this short of dropping it from the domain, fixing it, then adding it back to the domain? Or would that even work?

Best Answer

As with many Group Policies, the setting are stored in a Policies key in the registry. The Windows Firewall machine policy key is located at: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall

If you delete this key the "old" GP firewall settings are gone. If you restart the machine, it should able to pull down a fresh copy of your firewall GPO.

Related Solutions

Active Directory Group Policy Security Groups Differ From User’s Groups

Have you checked your eventvwr logs? Do you have other Domain Controllers (DCs) in this domain? Which one is the Global Catalog (GC) FSMO? Try running

dcdiag.exe

and check the output for problems, especially with the SYSVOL and/or replication with other DCs.

THIS CAN BE DANGEROUS: If this is not the only DC in the directory, and the event logs don't reveal anything, try making a copy of the sysvol\domain\policies and place it elsewhere on the hard drive of the server. Make sure you do this during off hours and make sure you perform a complete AD backup using:

ntbackup.exe backup systemstate /J "pre-delete-ad-backup" /F "c:\adbackups\ForestBackup.bkf" /V:yes /M normal

Copy the ForestBackup.bkf off of the server after the backup is complete.

After you create the backup and copy it elsewhere, delete the sysvol\domain\policies directory. Then force a replication with another DC in the Directory using replmon.exe

Check the FRS eventlog and see if you get messages about a successful sysvol replication. Keep in mind that until Sysvol is restored in complete, your server will not be able act as a DC, so make sure that another DC is available to your clients...

Windows Server 2003 – Diagnosing Inaccessible Group Policy Object

The permission on the Group Policy Container (the GPC, an Active Directory object) has been set to deny your read-level permission. The permissions on the filesystem object you've found (the "Group Policy Template", or GPT) can "come out of sync" with the permissions on the Active Directory object. (For some background, have a look at http://msdn.microsoft.com/en-us/library/aa374180(VS.85).aspx).

Fortunately, you can use a tool like ADSIEDIT to restore the permission on the GPC. Using ADSIEDIT you'll find a "groupPolicyContainer" corresponding to the GUID of the problematic GPO under the "CN=Policies" object of the "CN=System" object in the Domain NC of the domain the GPO resides in. (Install ADSIEDIT from the Support Tools on the Windows Server media, open it, drill into "Domain", then "CN=System" and "CN=Policies" and you'll find the GPC).

Using the "Security" tab of the "Properties" sheet for the GPC corresponding to the problematic GPO and use the "Default" button in the "Advanced" dialog to restore the default permissions.

If ADSIEDIT won't allow you to modify the permissions (probably displaying an oddball error message like "An invalid directory pathname was passed"), then likely someone placed a "Deny / Full Control" permission onto the object. The dsacls command with the arguments CN=GUID-OF-THE-PROBLEMATIC-GPO,CN=Policies,CN=System,DC=your,DC=domain,DC=com will report the permissions. Search for the errant "Deny" and "FULL CONTROL" entry and use the /R user-or-group-namme parameter on dsacls to remove the permissions associated with that user or group. If it's really messed up then you'll probably have to use the Windows Server 2008 ADAM / AD LDS version of dscals with the /takeownership argument to take ownership of the object).

Best Answer

Related Solutions

Active Directory Group Policy Security Groups Differ From User’s Groups

Windows Server 2003 – Diagnosing Inaccessible Group Policy Object

Related Topic