Can't ping Vista

Hi,

I have XP and Vista machines on a domain and all machines come under the
same GPO's (which include firewall settings). These are the same GPO's that
have been in place when only XP workstations were in the environment. i.e.
I didn't make any modifications for Vista.

When I enable certain GPO's and disable others (which the combination shuts
off the workstation firewalls), I can ping all the machines.

When I turn on the firewalls via policy, they all turn back on again, but I
can no longer ping the Vista machines.

"File and Printer Sharing" is opened as part of the policy and it is my
impression that this is the one that allows me to ping the machines.

Any idea why I can't ping the Vista machines when the firewall is turned on?

ALSO: In Vista's firewall.cpl, they all state that the firewall is on, but
the recommended settings are not in place. When I click the link "Update
settings now", the warning goes away. What does "Update settings now" do?
I wouldn't think it could do anything as the firewall is controlled by
domain policy and all the settings are grayed out when the firewall is on.

Thanks!

---
Bob

I haven't looked at this for a while, but as far as I can remember there are
more granular settings for the firewall available on Vista and one of them
was regarding ICMP/ping. You'll need to turn off your GPO to view the
settings though to be able to check what the settings are on the Vista
machine and modify them until you can ping the box. I assume that it would
be possible to manage these settings via the GPO once you've determined which
ones to check/uncheck

"Bob" wrote:

> Hi,
>
> I have XP and Vista machines on a domain and all machines come under the
> same GPO's (which include firewall settings). These are the same GPO's that
> have been in place when only XP workstations were in the environment. i.e.
> I didn't make any modifications for Vista.
>
> When I enable certain GPO's and disable others (which the combination shuts
> off the workstation firewalls), I can ping all the machines.
>
> When I turn on the firewalls via policy, they all turn back on again, but I
> can no longer ping the Vista machines.
>
> "File and Printer Sharing" is opened as part of the policy and it is my
> impression that this is the one that allows me to ping the machines.
>
> Any idea why I can't ping the Vista machines when the firewall is turned on?
>
> ALSO: In Vista's firewall.cpl, they all state that the firewall is on, but
> the recommended settings are not in place. When I click the link "Update
> settings now", the warning goes away. What does "Update settings now" do?
> I wouldn't think it could do anything as the firewall is controlled by
> domain policy and all the settings are grayed out when the firewall is on.
>
> Thanks!
>
> ---
> Bob
>
>
>

By design, if the file and printer sharing is enabled, you should be able to
ping. If not, you may need to modify the inbound rule. This how to may help.

Vista How toHow to enable ICMP to reply a ping · How to: Enable Remote
Desktop On Vista · How to: Enable telnet on Vista · How to: Enabling ICS on
Vista ...
www.howtonetworking.com/vista/vista.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Bob" <86c6c2e6-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I have XP and Vista machines on a domain and all machines come under the
> same GPO's (which include firewall settings). These are the same GPO's
> that have been in place when only XP workstations were in the environment.
> i.e. I didn't make any modifications for Vista.
>
> When I enable certain GPO's and disable others (which the combination
> shuts off the workstation firewalls), I can ping all the machines.
>
> When I turn on the firewalls via policy, they all turn back on again, but
> I can no longer ping the Vista machines.
>
> "File and Printer Sharing" is opened as part of the policy and it is my
> impression that this is the one that allows me to ping the machines.
>
> Any idea why I can't ping the Vista machines when the firewall is turned
> on?
>
> ALSO: In Vista's firewall.cpl, they all state that the firewall is on, but
> the recommended settings are not in place. When I click the link "Update
> settings now", the warning goes away. What does "Update settings now" do?
> I wouldn't think it could do anything as the firewall is controlled by
> domain policy and all the settings are grayed out when the firewall is on.
>
> Thanks!
>
> ---
> Bob
>

Okay, I did some more checking and this looks very strange.

First off, I've 5 Vista machines. Four are real and one is virtual. The
virtual has no problem, just the real ones do.

My GPO at "Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow file and printer sharing
exception" is enabled. I checked this with the old gpmc.msc in 2003 and the
new gpmc.msc in Vista. They both match, so I see no problem here.

On one of the failing Vista machines I confirmed that "File and Printer
Sharing" exeption is enabled per group policy by going to firewall.cpl. I
also ran rsop.msc and this looks fine too.

I viewed these two keys in the Vista machine:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\S tandardProfile\Services\FileAndPrint!Enabled,

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\S tandardProfile\Services\FileAndPrint!RemoteAddress es

And I see "Enabled" is set to "1" and "RemoteAddresses" is blank.

I then manually changed "Enabled" to "0" and ran "GPUPDATE /FORCE" and it
was reset back to "1" again (as I would expect it to).

In summary: Everything I mention above is working as I would expect it to.

But here is where it gets strange.

Back at firewall.cpl in my Exceptions tab, I enabled the "File and Printer
Sharing" that is NOT controlled by group policy. When I do this, I can now
ping Vista!

I also checked the keys mentioned above, and I don't see them change when I
change the non-group policy version of "File and Printer Sharing".


So, it seems that the keys I mention above are controlled by group policy,
but Vista doesn't seem to care about them. When I change the non-group
policy version of "File and Printer Sharing" these keys are not changed with
it. Therefore I must conclude that the non-group policy version of "File
and Printer Sharing" is changing some other keys that I am unaware of.

Any ideas out there on what is going on?

Thanks,

Bob.

...oops, I have to take back that exeption with the virtural machine version
of Vista. I was working because it had the non-group policy version of
"File and Printer Sharing" enabled. Once I shut that off, it now fails like
the rest.