I am a Jr Admin of a company who's boss seems to think its a good idea to get local admin rights to all users... I can't win until i take his job. We have some users who set the firewalls to disable all connections coming in.
How can I remotely reconfigure these firewalls without their knowledge?
Failed attempts below!
S:>net use \192.168.1.71\IPC$ "password" /user:domain\username The command completed successfully.
S:\pstools>sc \192.168.1.71 pause "Windows Firewall/Internet Connection Sharing (ICS)" [SC] OpenSCManager FAILED 1722:
The RPC server is unavailable.
S:\pstools>telnet \192.168.1.71 135 Connecting To \192.168.1.71...Could not open connection to the host, on port 13 5: Connect failed
S:\pstools>psservice \192.168.1.71 -u domain\username -p password stop "Windows Firewall/Internet Connection Sharing (ICS)"
PsService v2.21 - Service information and configuration utility Copyright (C) 2001-2006 Mark Russinovich Sysinternals - www.sysinternals.com
Unable to access Service Control Manager on \192.168.1.71: The RPC server is unavailable.
Sure I could drive out grab the machine, do some things to get me fired to have things done correctly, but i'm looking for a simpler way to get this done.
Group Policy is the best answer for this. All of the firewall settings can be set and enforced through this method.
Two words: Group Policy
I used PSTOOLS to do this recently. It lets you open up a cmd prompt to a remote machine. AFter that, just disable the firewall using
'netsh firewall set opmode mode = enable/disable'
If the machines are set to PXE boot, you could set up an image with your tools of choice ready to go, perhaps something made from BartPE, and then just power cycle the building. =P
Group Policy is able to handle this in a domain environment. You can also use the command netsh firewall set opmode mode = disable . Another way is through exporting the .reg key HKEY_LOCAL_MACHINE->SOFTWARE->Policies->Microsoft->WindowsFirewall & under the standard & domain profiles change "EnableFirewall" to 0. You can do it silently from cli by typing regedt /s filename.reg
While the users will have the local admin rights, you can't do anything that they won't be able to undo.
Don't your company have some "convention" on what can be done using the company's computers and what must not be done?
And as there's nothing dialog can't change, have you tried to discuss with the users and ask them to disable their firewall?
Can you not punt this question to your boss for "training/advice on how to solve it"? The advantage of being junior is that you can always kick things upstairs when its a result of your supervisor's stupid ideas so they get to see the consequences of their decisions.
Two thoughts ...
1- Learn to use Group Policy. Not just for this task, but for your career. You can control settings and you can control access to make changes. The local admin can change the settings unless access is restricted, at which point domain admin trumps local admin (as Kara eloquently put it).
2- I suspect the firewall is blocking the incoming connections which you are trying to use to turn off the firewall. Put another way .. if the firewall is set to block incoming connections, you won't be able to connect to execute a command and disable it!