cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Windows server 2019 Active Directory GPO's blocked by Windows 10 firewall when forced from the serve

severt
Copper Contributor

‎Jan 19 2019 11:42 AM

‎Jan 19 2019 11:42 AM

Windows server 2019 Active Directory GPO's blocked by Windows 10 firewall when forced from the serve

I work in a small business and and I am the  part time server admin with not much experience.  We are migrating from 2008 R2 to 2019.  I have Windows Server 2019 AD installed in a test environment with two Win 10 PCs.  Everything is a vanilla out of the box installation for both the server and clients.  Built my first GPO to test  Forcing an update of the GPO from the AD server failed.  Turned off the firewall for client 1 and voila, the GPO was deployed when forced from the server.   Later in the day, logged onto client 2 and found that even though the force from the server did not work earlier, my GPO was deployed.  

 

In my searching, I found mentions of inbound RPC rules that can be turned on at the client to allow forcing GPOs from the server.  

 

I just want to confirm that I am not missing something here.  My understanding from this is exercise is:

1.  standard GPO deployment is performed by the local client initiating the process at boot time for computer policies and when an user logs in for user policies

2.  If I want to be able to force updates from the server, then I will need to deploy firewall rules opening up the needed rpc ports on the client for the inbound traffic

 

Do I have this right?  Thanks for any clarifications. 

 

Labels:
11.2K Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by severt (Copper Contributor)
Ed Gallagher

‎Jan 21 2019 07:47 PM

‎Jan 21 2019 07:47 PM

Solution

Re: Windows server 2019 Active Directory GPO's blocked by Windows 10 firewall when forced from the s

There are two separate issues here. Are the clients getting the GPOs and can you force a GPO update of the client from the server.

The clients should get the GPOs applied according to the normal GPO processing methodology:

Group Policy Basics 1Group Policy Basics 2Group Policy Basics 3

Assuming the clients are getting the policies applied through the normal mechanisms, the second issue is whether or not you can force a GPO update from the server. In order to allow the Windows 10 workstation to receive the command from the server, Windows Remote Management needs to be enabled in the workstation (Windows Remote management is enabled by default in the server OS but not in the workstation OS).

The easiest way to do this is to create the starter GPOs in the Group Policy Management Console in the server. There is a starter GPO that enables remote management that you can link to the OU that contains the client systems. Allow that GPO to apply (or trigger it locally on the workstation) and then reboot the workstation. You should then be able to force additional GPO's to apply from the server.

Hope this helps.

Ed Gallagher, MVP

 

 

1 Like
Reply
severt

‎Jan 22 2019 09:08 AM

‎Jan 22 2019 09:08 AM

Re: Windows server 2019 Active Directory GPO's blocked by Windows 10 firewall when forced from the s

Thanks for the info, it was very helpful.

0 Likes
Reply