7,023 questions
You can follow along here.
https://woshub.com/windows-firewall-settings-group-policy/
--please don't forget to close up the thread here by marking answer if the reply is helpful--
Can a Windows Firewall Rule's authorized computer be an AD Group (like an OU) or include Wildcards?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 16%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
Lindauer, Greg
0
Reputation points
I'd like to set up a secure firewall rule. Under its Remote Computers/Authorized Computers, I want to enter something that represents all computers under one OU, or else takes a wildcard since the computers in this OU are all named OU-*. (Computers from other OUs or from outside the domain are blocked by this rule.)
Googling (Binging?) didn't turn up anything, it looks like the only solution is to create a security group, populate it with all the current computers in the OU, and keep it up to date... but I'm hoping there is a more elegant solution that will always tracks the current computers in the OU.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-12-06T20:45:06.54+00:00 -
Lindauer, Greg 0 Reputation points
2023-12-06T21:37:19.8666667+00:00 I appreciate the guide to using a GPO to set up firewall rules, but I am asking about specifying which remote computers are authorized in a rule that only allows secure connections
I am asking if I can specify all the computers in one OU in the Authorized Computers box (outlined in green above), without adding all the computers into a Security Group and adding that group as the Authorized computers (my issue with that is I have to keep the security group updated with the OU members as time goes on).
Another issue with answering this with a GPO response, is that just because it sends the policy out to all the computers in the OU doesn't mean the rule is restricted to remote computers in the OU.
Sign in to comment -
-
Anonymous
2023-12-06T22:14:29.19+00:00 Maybe this one helps.
--please don't forget to close up the thread here by marking answer if the reply is helpful--
-
Anonymous
2023-12-07T13:28:24.5633333+00:00 Just checking if there's any progress or updates?
--please don't forget to close up the thread here by marking answer if the reply is helpful--
-
Lindauer, Greg 0 Reputation points
2023-12-07T18:43:09.79+00:00 At Dec 6, 2023, 4:37 PM I said I am asking if I can specify all the computers in one OU in the Authorized Computers box (outlined in green above), without adding all the computers into a Security Group. https://anthonyfontanez.com/index.php/2021/09/16/windows-firewall-part-4-identity-based-access-control-via-kerberos/ relies on adding all the computers into a security group: configure Allowed Users to reference a previously created AD group containing only the user accounts that should be allowed access.
Maybe I missed it in that link, but I'm hoping there is a way to specify all the computers currently in the OU, so I don't have to keep a security group up to date (if a computer is transferred outside the OU it should no longer be allowed through the firewall).
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment -