GPO - Windows Firewall

WW 341 Reputation points
2021-04-22T13:43:02.777+00:00

Hello, question regarding managing Windows Firewall through GPO. When i try to manage it from my DC i receive this message:
90320-image.png

I have DC on WS2008R2.

I've noticed that this message for the time being only shows when I try to configure Windows Firewall GPO from DC.

Also I can edit this GPO from my computer with no issues.

Second question regarding this GPO is that I get error Security Filtering (Denied) when I try to apply it to one user. Scope is set to that user and Delegation is set to Authenticated Users with only Read marked. This is Computer Configuration policy - I'm trying to apply two firewall rules regarding Twain scaning (TCP and UDP)

Thank you!

Best regards!

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
1,891 questions
No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Fan Fan 15,061 Reputation points
    2021-04-23T00:46:34.117+00:00

    Hi,
    Based on my understanding, you can edit the firewall GPO through the RAST on the computer, but can't edit the GPO on the 2008R2 DC, right?
    Did all the DCs have the same issue?

    For your second questions:
    Computer Configuration in Group Policy is applied to computers, regardless of who logs on to the computers.
    Since it is a computer configuration, the computers need the read and apply permission. We need to add the computers group into the scope and give the group read and apply group policy permission under the delegation.
    90498-4233.jpg

    No comments

  2. WW 341 Reputation points
    2021-04-23T07:25:53.027+00:00

    Normally I am always editing GPO on my DCs. But for this GPO that I have for firewall settings I can't edit on DC because it gives me this error so I'm editing it from my PC using Group Policy Management (you probably meant RSAT).

    Yes, all DCs have the same error when I try to edit this policy.


  3. WW 341 Reputation points
    2021-04-23T09:46:12.553+00:00

    Hm, it is acting strange from my point of view.

    Little info about this policy - it contains User configuration and Computer configuration. Under Computer configuration I have Firewall rules. This policy has Authenticated Users under Scope and under Delegation also Authenticated Users with Read and Apply Group Policy permissions.

    Problem:
    This policy has two settings for firewall rules- one rule is made long time ago and it is applied and second rule is the rule that is not applied. This second rule is created on my computer couple of days ago because I can't create it on DC because this error I mentioned earlier shows.

    What is strange is that that second rule is applied on some computers and on other it is not applied. When I run Group Policy Results wizard on computer that has not applied the second rule (only first is applied) it shows me no errors, it just doesn't see configuration for the second rule under Details tab of Group Policy Result wizard.

    Also what I have noticed is that for that GPO shows this message "AD / SYSVOL Version Mismatch" on Details tab when I run it on that computer and also I can see under Revision of that policy this mismatch AD (72), SYSVOL (68). Don't know why it shows like this (this computer is Windows 10 and DC is on WS2008R2). Also when I run this wizard od computer (also Windows 10) that successfully applied both rules it doesn't show this mismatch info.

    Replication between DC is OK.

    Best regards!


  4. WW 341 Reputation points
    2021-04-26T11:54:56.927+00:00

    Hi FanFan,

    thank you but the link you provided I already saw and it is for Windows 8.1 and Windows Server 2012 R2 and in my case is Windows 10 and DC is on WS2008R2.

    Something strange happened over the weekend because my GPO applied successfully and it no longer shows AD/SYSVOL version mismatch error. Everything is fine now as I can tell, I will check on couple of other computers as well but for now it seems that everything is ok. Don't know why GPO applied over the weekend.

    Thank you!