+ Post New Thread
Results 1 to 13 of 13
Network and Classroom Management Thread, Enabling ping (echo request) and remote desktop through GPO. in Technical; Hi All, Not sure where to post this, but if I enable these in the default domain policy is there ...
  1. #1
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39

    Enabling ping (echo request) and remote desktop through GPO.

    Hi All,

    Not sure where to post this, but if I enable these in the default domain policy is there anything I should be concerned about.

    I'd like to use a combination of an ip scanner and remote desktop to turn off pc's left on overnight/at the weekend/holidays etc. But I can't seem to get the ip scanner to report if the echo request is blocked in windows firewall.

    Thanks in advance.

    Kol.

  2. #2

    Join Date
    Jul 2009
    Posts
    539
    Thank Post
    43
    Thanked 101 Times in 86 Posts
    Rep Power
    67
    I would put the firewall settings into a separate policy rather than the default policy.

    This is how you do it in 7 (I don't think you need to enable remote management but it may be helpful): Use Group Policy to allow ping and remote management on Windows 7 404 Tech Support

    I can't remember if XP uses the same settings as the link above or somewhere else in group policy.

    edit: XP firewall settings are under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall
    Last edited by computer_expert; 11th June 2013 at 06:42 PM.

  3. Thanks to computer_expert from:

    Koldov (13th June 2013)

  4. #3
    XiJ
    XiJ is offline

    Join Date
    Mar 2013
    Location
    Sheffield
    Posts
    174
    Thank Post
    11
    Thanked 35 Times in 32 Posts
    Rep Power
    8
    You could also schedule a forced shutdown - something as simple as running a batch script.

    You'd still need to it respond to a ping etc though.

  5. Thanks to XiJ from:

    Koldov (13th June 2013)

  6. #4

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,341
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    If you do allow firewall exceptions via gpo you can also put in the ip or ranges from which the machines will accept those requests so if you put your server ip only that machine will be able to remotely connect or ping them.

    Ben

  7. Thanks to plexer from:

    Koldov (13th June 2013)

  8. #5
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Quote Originally Posted by plexer View Post
    If you do allow firewall exceptions via gpo you can also put in the ip or ranges from which the machines will accept those requests so if you put your server ip only that machine will be able to remotely connect or ping them.

    Ben
    I think this is what I'm looking for. It's only 3 or 4 persistent offenders, I would be remoting in to the server and working through there, but it would be handy to be able to use the ipscan software to sweep all ip ranges, just in case there are others...

    Unfortunately, my GPO skillz are as weak as my AD kung-fu, so separate policies, OU's and such I'm not confident enough to mess with

    Anyway, I have got as far as the policy and can see where to tick and that's about my technical limit!

    Thanks so far!

    Kol.

  9. #6
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,781
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    using GPP you can schedule the shutdown.exe to run at the end of the day. You can even allow users to cancel the action. I allow ping to everywhere but also allow file and print sharing to only my admin workstations. you just change the scope options and enter your ip address in the firewall rule.

  10. #7
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Quote Originally Posted by chazzy2501 View Post
    using GPP you can schedule the shutdown.exe to run at the end of the day. You can even allow users to cancel the action. I allow ping to everywhere but also allow file and print sharing to only my admin workstations. you just change the scope options and enter your ip address in the firewall rule.
    Yeah lol GPP, not my thing really! Just out of interest, if pushed it out by GPP does this apply to every computer that picks up this scheduled task and if so, will I get users that take their laptop home suddenly shutting down at 19:00? Or does it only run for the computers connected to the server when the task runs? Actually does the server run the tasks or does the GPP put the task on the client?

    Would have to create exceptions for the servers too lol! Or do I have to start creating OU's and add the computers I want to run it on in there?

    Kol.

  11. #8
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,781
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    Well using GPP in the group policy object you'd assign it to the particular computer OUs (so no server issues.) You can do lots with GPP item level targeting. With home laptops you could NOT apply if a battery is present for example. Or if the PC is in a certain ip range, setup as a portable computer docked or undocked... It's really powerful and easy to use. The scheduled shutdown task itself can be user aborted if you allow it.

    oh and to clarify GPP like GPO are cached so even if the PC isn't on the network it can still run the policies. The task will be added to the client.
    Last edited by chazzy2501; 17th June 2013 at 01:22 PM.

  12. Thanks to chazzy2501 from:

    Koldov (17th June 2013)

  13. #9
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Thanks for the info. Don't think our computers are in OU's as everything is done per user (as far as I can see). Also what might be the final straw... Most of the pc's are XP and to use GPP I would need to install Client Side Extensions on each individual client?

    Kol.
    Last edited by Koldov; 17th June 2013 at 01:49 PM.

  14. #10
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,781
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    Yes the XP machines would need CSE (Client Side Extensions) installed. This can be done via WSUS or as long as they auto update they should have it already. But an MSI is available for deployment.

  15. #11
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Quote Originally Posted by computer_expert View Post
    I would put the firewall settings into a separate policy rather than the default policy.

    This is how you do it in 7 (I don't think you need to enable remote management but it may be helpful): Use Group Policy to allow ping and remote management on Windows 7 404 Tech Support

    I can't remember if XP uses the same settings as the link above or somewhere else in group policy.

    edit: XP firewall settings are under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall
    Yes, these are mostly old classroom PC's, especially the ones hooked up to the IWB's. I've enabled both ping and remote desktop in the GPO, unfortunately I'm not sure which had them enabled and which didn't in the first place.

    Just to check in here:

    Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall

    there are two sub-choices - Domain Profile and Standard Profile - Not that I like to assume (and I can't believe I'm asking) but the change should be made in the Domain Profile setting as we are running a Domain...? If it is that simple, what does the Standard Profile change and why/when/what would you use that for in Group Policy?

    Kol.

  16. #12

    Join Date
    Jul 2009
    Posts
    539
    Thank Post
    43
    Thanked 101 Times in 86 Posts
    Rep Power
    67
    Quote Originally Posted by Koldov View Post
    Yes, these are mostly old classroom PC's, especially the ones hooked up to the IWB's. I've enabled both ping and remote desktop in the GPO, unfortunately I'm not sure which had them enabled and which didn't in the first place.

    Just to check in here:

    Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall

    there are two sub-choices - Domain Profile and Standard Profile - Not that I like to assume (and I can't believe I'm asking) but the change should be made in the Domain Profile setting as we are running a Domain...? If it is that simple, what does the Standard Profile change and why/when/what would you use that for in Group Policy?

    Kol.
    I created the rules under the domain profile.

    As for the standard profile:
    The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member.
    About half way down here (Step 2): Deploying Windows Firewall Settings With Group Policy

  17. #13
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    505
    Thank Post
    101
    Thanked 50 Times in 46 Posts
    Rep Power
    39
    Yes thank you, that is as I thought... Doesn't hurt to be sure though

    Anyway, I am a little further with this now, as just those settings just would not allow Remote Desktop to be enabled. Then as I was Gooooogling this weekend, I came across pages referencing Terminal Services.

    Now this maybe schoolboy error time, or just blatantly obvious to the more experienced/informed technicians out there, so sorry if this is a real dumb question, but once I enabled this on my test rig:

    Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Allow users to connect remotely using Terminal Services

    Everything opened up and I could use Remote Desktop... Is that right?

    Is this something that is enabled by default in your set-up? Is this because it is a legacy set-up here and mostly 2003 > XP? Or should this be enabled as standard if using Remote Desktop and was just not mentioned because it was so obvious?

    I think this this link says that to DISABLE Remote Desktop, you have to ENABLE Terminal Services in GP...

    How to disable Remote Desktop by using Group Policy

    But I'm not sure that is correct (oh, the dangers of Gooooogle...)

    This page seems to give the opinion that you can enable one or the other (either TS or RDP)

    Enable or disable Remote Desktop: Terminal Services Client (Remote Desktop)

    'If the Allows users to connect remotely using Terminal Services Group Policy setting is set to Not Configured, the Enable Remote Desktop on this computer setting (on the Remote tab of the System Properties dialog box) on the target computers takes precedence. Otherwise, the Allows users to connect remotely using Terminal Services Group Policy setting takes precedence'.

    But I don't seem to be able to get the clients to actually enable RDP (and tick the box in the Remote tab of the System Properties dialogue) through the RDP setting in the GPO alone...

    That setting only appears to let the connection through the firewall and the 'actual' setting for enabling Remote Desktop' is 'Allow users to connect remotely using Terminal Services'.

    Also it appears that over the years, AD has become a little messy and the computers folder does not hold all the computers! Many have been moved to folders to allow certain other GPO's to apply and scripts to be run on them and there are hundreds of entries for computers that don't exist anymore!
    Some are for computers that I have joined to the Domain and so I'm unsure why they didn't end up in the 'Computers' folder...
    As I have been advised not to change the 'Default Domain Policy', how do I get all the computers to use the new settings. As there is no 'Computers ' folder in the Group Policy Management Console (because it is a container?) and so I cannot apply a GPO to that and I don't want to start dragging computers into new OU's as I haven't as yet been able to ascertain what impact dragging them into a new OU will have (apart from them no longer applying the 'group policy' they do now, which I'm not sure will be great as most of them are printer scripts which are no longer used or to map drives, some of which I know are handled with logon scripts as well!).

    Is it easier for me to just open all the various GPO's that apply to these computers and edit them with the computer settings I want. Then create a new GPO with the settings I want and drag all the computers in the 'Computers' folder into a new OU and apply a GPO to that?

    The OCD in me would like all the computers in one computer folder, but I'm not experienced enough to make AD/GPO work that way (if it even can), if multiple GPO's are being applied to various different computers

    Well done if you've read this far, sorry for the noob questions and obviously fragile grasp on AD/GPO's, but any helpful insights or constructive advice will be gratefully received.

    Kol.

SHARE:
+ Post New Thread

Similar Threads

  1. Adobe CS6 and Remote Desktop
    By bandgeekmafia78 in forum Licensing Questions
    Replies: 0
    Last Post: 12th December 2012, 02:06 PM
  2. Start up Scripts and Remote Desktop Problems
    By rowed in forum Windows Server 2008 R2
    Replies: 0
    Last Post: 5th May 2010, 07:31 PM
  3. laptop and remote desktop
    By shafia2009 in forum Windows
    Replies: 5
    Last Post: 20th March 2009, 11:35 AM
  4. Remote desktop and user credentials
    By localzuk in forum Thin Client and Virtual Machines
    Replies: 0
    Last Post: 17th March 2008, 01:08 PM
  5. isa server and remote desktop connection
    By russdev in forum Wireless Networks
    Replies: 1
    Last Post: 16th November 2005, 09:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •