RPC server unavailable to Group Policy Results Wizard

Hi all,

I find that if I open only the firewall ports for "File and Printer Sharing",
I can use RPC to connect to a network registery using RegEdit.
I can use RPC to view another computers events using Event Viewer.
I can't however use RPC to display the Resulting Set of Policy using the
Group Policy Results Wizard within GPMC.

When I take down the clients firewall, RPC works fine for all these tools.

So the question is: What port do I need to open on the firewall to allow the
Group Policy Results Wizard to do its job? I intend to use XP firewall GPO
for this task (unless someone feels there is GPO more suitable).

Thanks!
--
Bob

RPC uses port 135.

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts

"Bob" <86c6c2e6-(E-Mail Removed)> wrote in message
news:24B1E06D-3C37-433C-A387-(E-Mail Removed)...
> Hi all,
>
> I find that if I open only the firewall ports for "File and Printer
> Sharing",
> I can use RPC to connect to a network registery using RegEdit.
> I can use RPC to view another computers events using Event Viewer.
> I can't however use RPC to display the Resulting Set of Policy using the
> Group Policy Results Wizard within GPMC.
>
> When I take down the clients firewall, RPC works fine for all these tools.
>
> So the question is: What port do I need to open on the firewall to allow
> the
> Group Policy Results Wizard to do its job? I intend to use XP firewall
> GPO
> for this task (unless someone feels there is GPO more suitable).
>
> Thanks!
> --
> Bob

Hello Bob,

Thank you for posting.

Thanks to Louis.

RPC uses TCP 135. And you need to open 445 too.

To do this, you can use the following command:
netsh firewall set portopening tcp 135 RPC enable
netsh firewall set portopening tcp 445 smb enable

If the problem persists, please have a look at the following KB article:
Some programs seem to stop working after you install Windows XP Service
Pack 2
http://support.microsoft.com/?id=842242

Hope this helps.

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.

Port 135 is already open (as can be seen below):

C:\>netsh firewall show portopening

Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
135 TCP Enable Remote Procedure Call
80 TCP Enable Virtual Server Port 80
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service

Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
--
Bob

As can be seen below, Port 135 is already open. Port 445 is open via "File
and Printer Sharing".

C:\>netsh firewall show portopening

Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
135 TCP Enable Remote Procedure Call
80 TCP Enable Virtual Server Port 80
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service

Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
--
Bob

I think I might have found the probem. Running the command shown below, it
indicates that the "Remote admin mode" is disabled. This is shown as
disabled regardless if the firewall is enabled or disabled. As I stated
originally, when the firewall is disabled, I can obtain a clients RSoP so
"Remote admin mode" apparently is not necessary. But when the firewall is
enabled, "Remote admin mode" needs to be enabled also.

I believe I am enabling "Remote admin mode" with GPO:
[Computer/Administrative Templates/Network/Network Connections/Windows
Firewall/Domain Profile/Windows Firewall: Allow remote administration
exception]

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
--
Bob

Hi Bob,

Thank you for your update.

I just want to double confirm with you if the problem has been fixed by
enabling Remote admin mode. Sorry for the inconvenience.

Have a nice day.

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.

Yes, enabling Remote admin mode is "a" fix. I suppose there are other ways,
but this one is probably the easiest to implement. It might be nice if this
were posted in some KB article.
--
Bob


"John Chen [MSFT]" wrote:

> Hi Bob,
>
> Thank you for your update.
>
> I just want to double confirm with you if the problem has been fixed by
> enabling Remote admin mode. Sorry for the inconvenience.
>
> Have a nice day.
>
> Sincerely,
> John Chen, MCSE, MCSA, MCDBA, MCSD
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> ================================================== ===
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>

Thanks for the follow up!


--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts

"Bob" <86c6c2e6-(E-Mail Removed)> wrote in message
news:7076F80E-6754-4273-9CB7-(E-Mail Removed)...
> Yes, enabling Remote admin mode is "a" fix. I suppose there are other
> ways,
> but this one is probably the easiest to implement. It might be nice if
> this
> were posted in some KB article.
> --
> Bob
>
>
> "John Chen [MSFT]" wrote:
>
>> Hi Bob,
>>
>> Thank you for your update.
>>
>> I just want to double confirm with you if the problem has been fixed by
>> enabling Remote admin mode. Sorry for the inconvenience.
>>
>> Have a nice day.
>>
>> Sincerely,
>> John Chen, MCSE, MCSA, MCDBA, MCSD
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ================================================== ===
>> When responding to posts, please "Reply to Group" via
>> your newsreader so that others may learn and benefit
>> from your issue.
>> ================================================== ===
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>

Hi Bob,

Thank you for your confirmation. I have written an internal KB which is the
beginning of a KB article.

Have a great day!

Sincerely,
John Chen, MCSE, MCSA, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
================================================== ===

This posting is provided "AS IS" with no warranties, and confers no rights.