Group Policies and groups are two completely different things.
And yes, I know the names are misleading.
A Group Policy Object is a set of policies linked to one or more Organizational Units in Active Directory; they will affect all computer and/or users in that container and below (there are exceptions, but this is the core concept).
A group is, just like the name implies, a collection of users, computers or other groups; it can be located anywhere in AD, and its members also can be located anywhere. It's mainly used for security, because assigning permissions to a group is a lot easier than doing the same for each individual user (but it can also act as a mail distribution list where Exchange is in use).
To manage Groups Policies, you use the Group Policy Management Console
.
To manage groups (or users, or computers, or Active Directory in general) you use Active Directory Users and Computers
.
If you need to check who is member of a given group, ADUC is the right tool to use; GPMC will not tell you anything about that, because it's not its job.
ADUC is always present on Domain Controllers, and can be installed on Windows Server systems as a feature (part of AD DS Tools).
If you want to use it on a client system, you'll need to install Remote Server Administration Tools.
Addendum: the net group
command applies to groups, which as I said above are different from GPOs. It doesn't make any sense to run net group my_gpo
.
What can be done to properly re-enable the Windows firewall on a domain?
Well, the short answer is that it's going to be a lot of work if you decide to forge ahead, and for the record, I'm not sure I would.
In the general case, client firewalls don't provide much security in a corporate network (which typically has hardware firewalls and controls this type of thing at the edge), and malware authors these days are smart enough to use port 80 for their traffic, because virtually no one blocks that port, so you get a lot of effort putting something in place to provided limited security benefit.
Having said that, the long answer is:
- Inventory applications and their connectivity needs as best you can.
- If you can safely enable the Windows Firewall with an
allow all
rule and set logging, this will be a treasure trove of data for determining what apps you have that need firewall exculsions.
- If you can't collect logging data non-intrusively, you'll have to make do with a simple inventory, or do your logging on users who can handle disruption and intrusive IT activity (like yourself and other techs, for example).
- Think about your troubleshooting needs.
- There are things that probably won't come up in a software audit that you need to think about. For example:
- You might want to allow ICMP (or ICMP from approved address spaces) to make troubleshooting and IP address management not horrible.
- Likewise, exclusions for any remote management applications you guys use.
- You'll also probably want to set firewall logging by policy
- Create a baseline GPO and deploy it to a test group, or multiple test groups.
- While you can't just do it and let the helpdesk sort it out for everyone, management is going to be a lot more open to piloting the changes with a select group of hand-picked employees, especially if they think there's a valid security concern.
- Pick your test group carefully. It might be wise to use IT folk first, then widen the group to include people from other departments.
- Obviously, monitor your test group and stay in constant communication with them to quickly resolve issues you didn't catch the first time around.
- Roll out the change slowly, and in stages.
- Once you've tested it to your satisfaction, you should still exercise caution, and not just push it out to the whole domain at once. Roll it out to smaller groups, which you'll have to define according to your organization's structure and needs.
- Make sure you have something in place to handle future changes.
- Just making it work for what you have in your environment now isn't going to be enough, because you will end up with new applications on your domain, and you'll have to make sure the firewall policy is updated to accommodate them, or someone above you will decide the firewall is more trouble than it's worth and will have the policy removed, eliminating and the work you've put into it so far.
Best Answer
Have you run Resultant Set of Policy tool? At a command prompt or in Run, enter RSOP.msc You will see if there is another polity that turns this back on and overrides the policy you are trying to apply. Tjis can be a bit tricky but the tool really helps. Thre is a command line tool as well that is discussed here GPresults