Network and Classroom Management Thread, Enabling ping (echo request) and remote desktop through GPO. in Technical; Hi All,
Not sure where to post this, but if I enable these in the default domain policy is there ...
10th June 2013, 04:44 PM #1
Enabling ping (echo request) and remote desktop through GPO.
Not sure where to post this, but if I enable these in the default domain policy is there anything I should be concerned about.
I'd like to use a combination of an ip scanner and remote desktop to turn off pc's left on overnight/at the weekend/holidays etc. But I can't seem to get the ip scanner to report if the echo request is blocked in windows firewall.
Thanks in advance.
IDG Tech News
11th June 2013, 07:07 PM #2
I would put the firewall settings into a separate policy rather than the default policy.
This is how you do it in 7 (I don't think you need to enable remote management but it may be helpful): Use Group Policy to allow ping and remote management on Windows 7 « 404 Tech Support
I can't remember if XP uses the same settings as the link above or somewhere else in group policy.
edit: XP firewall settings are under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall
Last edited by computer_expert; 11th June 2013 at 07:42 PM.
Thanks to computer_expert from:
11th June 2013, 08:14 PM #3
- Rep Power
You could also schedule a forced shutdown - something as simple as running a batch script.
You'd still need to it respond to a ping etc though.
11th June 2013, 08:21 PM #4
If you do allow firewall exceptions via gpo you can also put in the ip or ranges from which the machines will accept those requests so if you put your server ip only that machine will be able to remotely connect or ping them.
13th June 2013, 04:08 PM #5
13th June 2013, 04:49 PM #6
using GPP you can schedule the shutdown.exe to run at the end of the day. You can even allow users to cancel the action. I allow ping to everywhere but also allow file and print sharing to only my admin workstations. you just change the scope options and enter your ip address in the firewall rule.
17th June 2013, 01:53 PM #7
Yeah lol GPP, not my thing really! Just out of interest, if pushed it out by GPP does this apply to every computer that picks up this scheduled task and if so, will I get users that take their laptop home suddenly shutting down at 19:00? Or does it only run for the computers connected to the server when the task runs? Actually does the server run the tasks or does the GPP put the task on the client?
Originally Posted by chazzy2501
Would have to create exceptions for the servers too lol! Or do I have to start creating OU's and add the computers I want to run it on in there?
17th June 2013, 02:19 PM #8
Well using GPP in the group policy object you'd assign it to the particular computer OUs (so no server issues.) You can do lots with GPP item level targeting. With home laptops you could NOT apply if a battery is present for example. Or if the PC is in a certain ip range, setup as a portable computer docked or undocked... It's really powerful and easy to use. The scheduled shutdown task itself can be user aborted if you allow it.
oh and to clarify GPP like GPO are cached so even if the PC isn't on the network it can still run the policies. The task will be added to the client.
Last edited by chazzy2501; 17th June 2013 at 02:22 PM.
Thanks to chazzy2501 from:
17th June 2013, 02:37 PM #9
Thanks for the info. Don't think our computers are in OU's as everything is done per user (as far as I can see). Also what might be the final straw... Most of the pc's are XP and to use GPP I would need to install Client Side Extensions on each individual client?
Last edited by Koldov; 17th June 2013 at 02:49 PM.
17th June 2013, 03:20 PM #10
Yes the XP machines would need CSE (Client Side Extensions) installed. This can be done via WSUS or as long as they auto update they should have it already. But an MSI is available for deployment.
18th June 2013, 12:39 PM #11
Yes, these are mostly old classroom PC's, especially the ones hooked up to the IWB's. I've enabled both ping and remote desktop in the GPO, unfortunately I'm not sure which had them enabled and which didn't in the first place.
Originally Posted by computer_expert
Just to check in here:
Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall
there are two sub-choices - Domain Profile and Standard Profile - Not that I like to assume (and I can't believe I'm asking) but the change should be made in the Domain Profile setting as we are running a Domain...? If it is that simple, what does the Standard Profile change and why/when/what would you use that for in Group Policy?
18th June 2013, 06:23 PM #12
I created the rules under the domain profile.
Originally Posted by Koldov
As for the standard profile:
About half way down here (Step 2): Deploying Windows Firewall Settings With Group Policy
The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member.
24th June 2013, 10:39 AM #13
Yes thank you, that is as I thought... Doesn't hurt to be sure though
Anyway, I am a little further with this now, as just those settings just would not allow Remote Desktop to be enabled. Then as I was Gooooogling this weekend, I came across pages referencing Terminal Services.
Now this maybe schoolboy error time, or just blatantly obvious to the more experienced/informed technicians out there, so sorry if this is a real dumb question, but once I enabled this on my test rig:
Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Allow users to connect remotely using Terminal Services
Everything opened up and I could use Remote Desktop... Is that right?
Is this something that is enabled by default in your set-up? Is this because it is a legacy set-up here and mostly 2003 > XP? Or should this be enabled as standard if using Remote Desktop and was just not mentioned because it was so obvious?
I think this this link says that to DISABLE Remote Desktop, you have to ENABLE Terminal Services in GP...
How to disable Remote Desktop by using Group Policy
But I'm not sure that is correct (oh, the dangers of Gooooogle...)
This page seems to give the opinion that you can enable one or the other (either TS or RDP)
Enable or disable Remote Desktop: Terminal Services Client (Remote Desktop)
'If the Allows users to connect remotely using Terminal Services Group Policy setting is set to Not Configured, the Enable Remote Desktop on this computer setting (on the Remote tab of the System Properties dialog box) on the target computers takes precedence. Otherwise, the Allows users to connect remotely using Terminal Services Group Policy setting takes precedence'.
But I don't seem to be able to get the clients to actually enable RDP (and tick the box in the Remote tab of the System Properties dialogue) through the RDP setting in the GPO alone...
That setting only appears to let the connection through the firewall and the 'actual' setting for enabling Remote Desktop' is 'Allow users to connect remotely using Terminal Services'.
Also it appears that over the years, AD has become a little messy and the computers folder does not hold all the computers! Many have been moved to folders to allow certain other GPO's to apply and scripts to be run on them and there are hundreds of entries for computers that don't exist anymore!
Some are for computers that I have joined to the Domain and so I'm unsure why they didn't end up in the 'Computers' folder...
As I have been advised not to change the 'Default Domain Policy', how do I get all the computers to use the new settings. As there is no 'Computers ' folder in the Group Policy Management Console (because it is a container?) and so I cannot apply a GPO to that and I don't want to start dragging computers into new OU's as I haven't as yet been able to ascertain what impact dragging them into a new OU will have (apart from them no longer applying the 'group policy' they do now, which I'm not sure will be great as most of them are printer scripts which are no longer used or to map drives, some of which I know are handled with logon scripts as well!).
Is it easier for me to just open all the various GPO's that apply to these computers and edit them with the computer settings I want. Then create a new GPO with the settings I want and drag all the computers in the 'Computers' folder into a new OU and apply a GPO to that?
The OCD in me would like all the computers in one computer folder, but I'm not experienced enough to make AD/GPO work that way (if it even can), if multiple GPO's are being applied to various different computers
Well done if you've read this far, sorry for the noob questions and obviously fragile grasp on AD/GPO's, but any helpful insights or constructive advice will be gratefully received.
By bandgeekmafia78 in forum Licensing Questions
Last Post: 12th December 2012, 03:06 PM
By rowed in forum Windows Server 2008 R2
Last Post: 5th May 2010, 08:31 PM
By shafia2009 in forum Windows
Last Post: 20th March 2009, 12:35 PM
By localzuk in forum Thin Client and Virtual Machines
Last Post: 17th March 2008, 02:08 PM
By russdev in forum Wireless Networks
Last Post: 16th November 2005, 10:07 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)