Re: Using Domain level GPO to create XP Firewall exception

From: Philip Wilhelm (
Date: 03/25/05

Date: Thu, 24 Mar 2005 21:15:02 -0800

Thank you. Here is exactly what seems to be the easiest way to go. Log onto
your AD Controller and open AD. Create your GPO in the OU you want it to
apply to. Don't bother making any actual changes to this GPO at this time;
simple create the base GPO with no changes. Now, apply the Hotfix on your
Windows 2003 AD Server (or appropriate OS) by following the link below.
Then, log into a Windows XP SP2 as a user with rights to manage the Domain
level GPO (a Domain Admin account is always a safe bet). Once logged in,
open a MMC console and add the Group Policy snap-in. Change the "local" GPO
to point to the GPO you have create in your AD OU. By simply connecting to
the Domain level GPO fron a Windows XP SP2 workstation the adm files on the
DC you connected to are updated with the needed changes. Log back onto your
DC and EDIT the GPO you created in the first step. Under "Computer
Configuration, Application Templates, Network, Network Configuration" you
should now see a sub directory called "Windows Firewall". Make your changes

Thanks again Byron.

"Byron Hynes" wrote:

> Yes, but you will need to use the new (XPSP2) templates.
> This document describes (among other things) how to update the templates:
> And this page has more specifics on the WF configuration via GPO
> There are also two links at the bottom of that page that may help.
> - Byron Hynes.
> > Can someone please tell me if I can create a GPO in Active Directory
> > (Win2003) to create an exception on all Windows XP SP2 machines in a
> > specific OU? I would like to open UDP 2950 for the Symantec System
> > Center on my servers. With it blocked it shows all machines offline.
> >