For some reason, Windows Firewall was disabled on an AD domain of my client. The RSoP report shows the setting is originated from the Extra Registry Settings on Default Domain Policy.
If this was on any other GPO I could have just removed it, but it's the Default Domain Policy. On the Domain Controller there's no such ADM/ADMX template set up that controls these registry keys, so I can't edit them using the Group Policy Management Editor. (Probably some admin at some point had one on an external computer having the Remote Server Administration Tools installed.)
What would be the correct way to delete these settings? Should I find and install the correct ADM(X) template or is there any shortcut? (All the settings I actually need can be found under Network\Network Connections\Windows Firewall\ already, but this keeps Windows Firewall disabled for public and home networks.)
For this problem regarding Windows Firewall settings...
It turned out that settings made in Windows Settings were messing with the ADM(X) templates.
Here, configuring Windows Firewall Properties for Private and Public Profile to Not configured removed everything else but
Software\Policies\Microsoft\WindowsFirewall\PolicyVersionfrom the Extra Registry Settings. (Now, it's of course possible to set them as wanted from here, too.)This is good, as I checked the
windowsfirewall.admxin all Administrative Templates through Windows Vista, Windows 7 and Windows 10; there weren't any settings for the Private and Public profile: just for the Domain Profile and Standard Profile. If I didn't find this solution, it would have required using the methods explained below.Removing Extra Registry Settings from Default Domain Policy in general
Easiest way to solve this would be to remove the GPO involved and re-create it with only the necessary settings. For Default Domain Policy this needs some extra steps:
Recreate the default Group Policy Object using Dcgpofix (for the domain only, not for DC):
Edit your policy manually to contain all the settings in the report.
Other way is to manually create a new Administrative Template containing settings for these registry keys;
.admxfiles are XML and easy to edit with a text editor.In this case for Windows Firewall it would have been possible to edit the
windowsfirewall.admx:Create two new categories. (I hard-coded the
displayNames to avoid modifying any.admls.)Copy all (or just the required) child
policyobjects ofWF_Profile_Standard.Replace contents as required:
StandardwithPublic/Private:<parentCategory ref="WF_Profile_Public" />key="SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\...displayNames,explainTexts orpresentations as they are already the same for both of the existing categories.I'd recommend using this new template only temporarily & from a client computer having the Remote Server Administration Tools installed, instead using it directly on a DC. This way, it wouldn't cause the very problems you are trying to solve with it!
Install or just use the correct ADM(X) template(s) there or on another machine in this Domain. As the Screenshot indicates, this is Windows (Server) 2008, which is not able to edit registry settings like group policy preferences.