Friday, February 17, 2006

Group Policy: Windows Firewall setting to allow your WMI scripts to run

Let’s go back to the architecture assessment that I was talking about earlier this month. One thing that I encountered, and commonly see, are improperly configured group policy settings for the Windows firewall.

“SP2 has been deployed for quite a while - why are you talking about this now?”

Well, because I was reminded of this just recently and needed to document it. :) So, part of the assessment involves to running a series of scripts against the new customer environments (I’ve posted snippets of the workstation inventory script). And one of the things that get turned off by default is called “Remote Administration”; and this prevents me from running WMI scripts.

For most organizations, it’s a good idea to enable the Windows firewall under the domain profile. In organizations where you need to be able to do things like talk to clients via WMI (which would be a type of unsolicited DCOM request on port 135), you have to make sure that you enabled the group policy object to “Allow Remote Administration Exception” (Open up Group Policy Manager, and go here under your Computer objects OU - Computer Configuration\Administrative Template\Network\Windows Firewall\Domain Profile).

Once you enable "Allow Remote Administration Exception" (and the computer objects refresh their policies), you can start running your scripts again.

No comments: