I've enabled Remote Administration and Remote assistance in Domain Group Policies. I've verified that these policies are being applied with GPresult. Everything worked in my network including remote assistance for about 2 weeks. Suddenly we couldn't remote control end-user's workstations. After extensive investigation and review of settings I discovered three entries in the local firewall. They are all listed with a source of Local Group Policy* Remote Administration (RPC-EPMAP) Port 135 block* Remote Administration (RPC) Dynamic RPC block* Remote Administration (NP-In) Port 445 BlockThese do not show up when I run gpedit.msc and review local group policy.These do not show up in my Domain Group Policies under local policies.I've attempted to add secure channels that override these blocks, but still not good.My workaround at the moment is to turn off the firewall for the Domain profile.These seem to be phantom entries that are tatooed onto all all my domain workstations.Vista Enterprise SP 1Managing the Group Policies on Server 2008. We're also using Group Policy Prefrerences.Any help locating where these are coming from would be appreciated. These three entries appear to be the only ones so I suspect some other non-firewall policy regarding Remote Administration is creating them. I just can not find anything that relates to this set with a block or denied configuration.Kenmore, WA

Hi, Thank you for your post. Based on my research, I would like to suggest the following: 1. Please manually set the rules to Allow and enable them. Then, reboot the computer and see if it will be changed back. 2. If the rules are changed, I suspect this should be related to Group Policy and please gather the following information for our further research: 1) In the GPMC, process the Group Policy Result wizard to collect the data of RSOP. 2) Right click Group Policy Results---> Group Policy Results Wizard… 3) Choose Another computer to point to the problematic client. 4) Select that problematic user account and click next to collect the group policy result data. In the Summary tab, verify the settings in the Computer Configuration--->Policies--->Windows Settings--->Security Settings--->Windows Firewall with Advanced Security. Please also upload the report to Windows Live SkyDrive and share its URL with us. Thanks. Nicholas Li TechNet Subscriber Support in forumNicholas Li - MSFT

Hi, I just want to see how everything is going. If you have any questions or concerns on the recent information I've provided you, please feel free to let me know. Thanks. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfd @ microsoft.com. Nicholas Li - MSFT

Nicholas, I'll try to gather the reports as indicated. The Allow rules already exist. I guess I'll try to add an overwritting rule to local group policy as a test. From what I've read blocks always win when there are two competing rules.ThanksKevinKenmore, WA

http://cid-ab18f6b6e4dcacd5.skydrive.live.com/browse.aspx/Support%20ReportsNicholas, Haven't used Sky Drive before. Hopefullly this link takes you to a report on an affected workstation. All workstations and users are affected by the issue. Another interesting thing I noticed when I ran GPresult on my workstation. There's a set of registry changes that I can't map to any policies I've set in the GPO. They appear to be firewall information, but can't tell what it's setting (or blocking). I'll try and trace theses entries using regedit. Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\BackgroundPriorityLevel 3 Default Domain Policy Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\NoBackgroundPolicy 0 Default Domain Policy Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\NoGPOListChanges 0 Default Domain Policy Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\NoSlowLink 0 Default Domain Policy Software\policies\Microsoft\WindowsFirewall\ConSecRules\23c8649b-ce36-4b29-9d0e-fb9211a66c0d v2.0|Action=DoNotSecure|Active=TRUE|EP2_4=10.1.1.0/255.255.255.0|EP2_4=10.0.0.0/255.255.255.0|EP2_4=10.5.5.0/255.255.255.0|Name=General OMWLAW bypass|Desc=| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\ConSecRules\8fbce70a-184e-4420-b9f8-32e6e135b67b v2.0|Action=Boundary|Active=TRUE|Profile=Domain|Name=Domain connection rule|Desc=|Auth1Set=ComputerKerberos|Auth2Set=EmptySet|Crypto2Set={E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\0e36700f-122e-40d0-8eed-83408f6cb4f1 v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=135|Name=DCOM port 135|Desc=Open for remote assistance|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|Security=Authenticate|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\44a5f8fb-8e01-4610-b42c-1b399c66d49b v2.0|Action=Allow|Active=TRUE|Dir=In|App=%SystemRoot%\system32\msra.exe|Name=Remote Assistance Program|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\48d6b0b4-e077-49ed-9f47-414af2d64431 v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2869|Name=Remote Assistance (UPnP-In)|Desc=TCP Port 2869|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\611d65be-60f3-4859-ab90-755df63107fc v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|Name=RDP port 3389|Desc=RDP port for remote desktop and remote assistance|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\6c4e5252-8928-4139-85c7-d3ff98c669e5 v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=1900|Name=Remote Assistance (SSDP_In)|Desc=UDP Port 1900|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\c30169e2-7d33-41de-a469-a13c73fea088 v2.0|Action=Allow|Active=TRUE|Dir=In|App=%SystemRoot%\system32\raserver.exe|Name=Remote Assistance Server process|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteAdmin-In-TCP v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=*|Name=@FirewallAPI.dll,-29753|Desc=@FirewallAPI.dll,-29756|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteAdmin-NP-In-TCP v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@FirewallAPI.dll,-29757|Desc=@FirewallAPI.dll,-29760|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteAdmin-RPCSS-In-TCP v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|Name=@FirewallAPI.dll,-29765|Desc=@FirewallAPI.dll,-29768|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteFwAdmin-In-TCP v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=policyagent|Name=@FirewallAPI.dll,-30003|Desc=@FirewallAPI.dll,-30006|EmbedCtxt=@FirewallAPI.dll,-30002|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteFwAdmin-RPCSS-In-TCP v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|Name=@FirewallAPI.dll,-30007|Desc=@FirewallAPI.dll,-30010|EmbedCtxt=@FirewallAPI.dll,-30002|Edge=FALSE| Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\IPSecExempt 2 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3} {E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5} Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\CAName DC=com, DC=omwlaw, CN=omwlaw-OMWSRV2008-CA Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\CertAccountMapping FALSE Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\ExcludeCAName FALSE Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\HealthCert FALSE Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\Method MachineCert Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\CAName C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\CertAccountMapping FALSE Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\ExcludeCAName FALSE Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\HealthCert FALSE Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\Method MachineCert Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0002\Method MachineNtlm Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0003\Method Anonymous Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\Version 2.1 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\Anonymous\0000\Method Anonymous Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\Anonymous\Version 2.1 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\ComputerKerberos\0000\Method MachineKerb Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\ComputerKerberos\Version 2.1 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4} {E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379} Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}\0000\Method UserNTLM Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}\0001\Method Anonymous Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}\Version 2.1 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\EmptySet\Version 2.1 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\PolicyVersion 513 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall 1 Vista Lobotomy Settings Software\policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall 1 Vista Lobotomy Settings Kenmore, WA

Hi, Thank you for your update. Firstly, may I know how it works when you set the rules to Allow and enable them? After checking the report, I found the following under Inbound Rules of Windows Firewall with Advance Security: Since some rules are set to allowed and enabled by default, it may not be necessary to set the rule manually. Based on the current situation, please try the following to check the issue: 1. Check and adjust the Group Policy settings. 2. Please disable the policy “Vista Lobotomy Settings” and have a check. 3. Take a client computer out of the OU which will be applied the policy “Vista Lobotomy Settings” and see if you can access it. Thanks. Hope this helps. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb @ microsoft.com.Nicholas Li - MSFT

Hi Nicholas, Thanks for the reply. I've created a copy of the Lobotomy GPO. I've placed my computer alone in an OU with this new GPO. I'm trying to clear out the various extraneous settings. The manual settings you found were my attempts to override the annoying three blocking rules. The rules show up on the workstation but don't seem to override the Blocking rules as the should (or as I would expect). After a few more surgical attempts I'll completely kill the link of this GPO to the OU my computer is in. See what happens to the firewall settings.This particular also contains a bunch of application related stuff. I know it shouldn't just for this kind of troubleshooting. I'll try to split out Security and application related settings to two or more GPOs in the future.KevinKenmore, WA

Nicholas (and whomever else is following this).I moved my workstation to another OU, then applied a copy of the Lobotomy GPO to this OU. I removed the 4firewall policies intended to ALLOW remote administration/remote assistance. Very interesting effects of this change. 1. The mystery rules BLOCKING remote admin/assistance dissappeared (Yeah!). 2. The Vista firewall is now somehow blocking DNS!! (Boo :( ) This has the added side effect that the workstation can not detect that it's on the domain network and should apply the DOMAIN firewall policy. In order to get around this I have to manually turn off the firwall. With the firewall off I can reboot, detect the domain. Even under the Domain firewall policy I have to leave the firewall off inorder to get DNS responses. There is only one BLOCKING rule on Remote Desktop, and it's assigned to the Private and Public profiles. I cannot yet figure out why or how DNS is being blocked.The most noticeable Event log entry during boot up is Source DnsApi, Event ID 11164, Level Warning. System failed to register host resource records for network adapter. I can get past this by leaving the firewall off for the Private and Domain profiles during a reboot.Also the NETLOGON service fails... Time-Service Warning ID 129.I'm sure all related to DNS.My orginal goal was to allow normal operations in my network with the Vista Firewall enabled. Some progress, but now I have to get the workstation to boot properly and find the network.KevinKenmore, WA

Update - Found a secure connection isolation rule with source local setting. I deleted it, and now the DNS works with the firewall enabled. I'll have to review the firewall settings, and the GPO further after the domain syncs, and I get a chance to reboot the workstation. So far this is promising. Now there's the question.. Why does deleting 4"ALLOW" rules in Domain Group Policy also result in the removal of 3 Blocking rules listed as Local Group Policy rules?????Very strange.KevinKenmore, WA

O.K. I"m actually got rid of the three blocking rules. Not sure exactly how. The last change I made to the Group Policy Object was in Computer/Polices/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile.I set everything to "Not Configured" except Allow inbound remote administration, and Allow inbound Remote Dekstop.In previous GPO I had several of the other settings enabled including Define inbound program exceptions (with 4 items to support our DMS), Allow ICMP exception, Allow local port exceptions, Define inbound port exceptions (with port 135 TCP enabled),allow inbound UPnP framework. I also hadProtect all network connections Disabled.One of these settings is somehow causing the blocking rules to materialize... Very weird. It would be rather time consuming to figure out which one.None of these settings would appear from the description to cause three specific blocking rules to appear.KevinKenmore, WA

Hi Kevin, I am glad to know that it worked. At this time, I also would like to know if there is something I can help. If you have any questions or concerns, please also feel free to let me know. Thanks. Have a great day! Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Nicholas Li - MSFT

I guess the only question is what's causing those weird rules. Group Policy, and GP Preferences were suppose to be this huge time savings for network administrators. Seems that every thing I want to accomplish in this environment takes a few minutes to implement, then a week or two to figure out why it doesn't work. I spent over a month trying to deploy printers with GPP according to documentation. After discovering over a dozen interesting ways to lock up vista I had to give up and deploy the printers manually. I'm trying to use the advanced features of Active Directory, and Vista. It just seems like I have to work around them more than actually use them. I'm venting a little here, but hopefully this thread is read by someone that can make a difference. I have a Windows 7 system in the lab now. Hopefully it will be better behaved.Thanks for you guidance.KevinKenmore, WA

Hi Kevin, Regarding Group Policy, I would like to share the following resources with you: Windows Server Group Policy Home Group Policy Group Policy Team Blog Hope they are helpful. If you need some help on Group Policy related question, it is recommended that you go to our Windows Server Forums for help: Windows Server Forums Thanks again for keep in touch. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Nicholas Li - MSFT