Since the release of Windows XP SP2 file and printer sharing has been blocked by default in the Windows firewall.
This creates a problem for many of our tools and products. For example, our remote USB disabler cannot do its work without remotely writing the appropriate registry keys. Our Remote Control product cannot automatically install its agent without file and printer sharing. They all use this to do their magic. We are not the only ones – psexec from SysInternals needs file and printer sharing too.
There are hundreds if not thousands of tools used by IT administrators that require file and printer sharing enabled in the firewall.
If you have 10 computers it is an easy fix. You simply walk around to each of them and add an exception in the firewall. Simple. Done.
If you have 100s of computers spread across 3 states…you now have a much more difficult problem. You could write a script that executes at login. The trouble with this idea is that every user would need full administrator access to their own machine. This type of access is getting pretty rare these days, so I don’t even consider it an option.
The best method is group policy. I am going to walk you through it. My example uses Windows 2003 Server. Those of you with 2008 will find that it is almost exactly the same. If you have 2000 Server…well…you have your hands full anyway and shouldn’t even have time to read this article.
Start out by getting on your domain controller. Open “Active Directory Users and Computers”. You need to determine what group of machines your policy is going to be applied to. Some organizations will have computers under many different OUs.
To keep things simple I am going to change the group policy for the entire domain.
Right click on the domain name and go to properties:
This will bring up a properties window. You will want to move to the Group Policy tab, select the policy you want to edit (In our case it is the Default Domain Policy) and press the edit button.
This is a computer policy (It will apply to computers…not specific users), so drill down to:
Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall
You will notice two sections under this area. A domain profile, and a standard profile. A machine will automatically determine which profile it should use by the type of network it is connected to. Directly from Microsoft, they are defined in this way:
* Domain profile The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.
* Standard profile The standard profile is the set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when an organization laptop computer is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop computer is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.
So generally speaking, I suggest only making these changes to the Domain Profile. You don’t want your sales guys hooking up to a hotel network with their file and printer sharing fully accessible.
Selecting the domain profile, and looking on the right we see what we need – “Windows Firewall: Allow file and printer sharing exception”
There are two items you need to set. First check the radio button to enabled, and then below you need to fill out a filter value. This tells the group policy what computers are allowed to connect to the machine. For our example I will put *
This value allows any computer to connect. Click OK, and allow some time to pass (15 to 30 minutes). Then your computers will pick up the new policy. If you are impatient you can go to the command line on the server and your test machine. Type: GPUPDATE /force
If I hop on one of my Vista machines we can see that it has accepted the policy:
Perfect. Now I can terrorize my programmers by rebooting all of their machines at the same time using Network Administrator 🙂
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools
{ 11 comments… read them below or add one }
Hi steve. I appreciate you posting this article, however when drilling down in Default Domain Policy Properties, I have Computer Configuration -> Administrative Templates -> Network…then under Network my only choices are “Offline Files” and “Network and Dial-up Connections”. I see nothing about Windows Firewall in either of those folders. Any ideas? Thanks.
Chris
Hi Steve,
This is Great !!! Works like a charm.
I want to forcefully push gpupdate to users using GP; what and how to configure that?
Please email me the link.
Thanks,
Aamir
I don’t think you can use GP to force a GP update. You could have a login script that is run by the users…something along these lines:
gpupdate /force
But if I remember correctly…this is different on Windows 2000. So you may need to research and find out if this will work for your environment
Great article! Worked like a charm! Thanks a bunch and keep up the good work!
Is there any way to turn F&P Sharing on with a GPO? It doesn’t do me much good to modify the firewall if F&P Sharing isn’t running in the first place.
Thanks,
Steve
I don’t think so. This is always been an issue with file and printer sharing. It is even more difficult to fix with a script since it this setting is attached to each network card.
Steve,
I read your post.
Windows 7 SP1 (or another recent update) has caused an unusual problem. I have ‘File and Print Sharing’ enabled and correctly defined on my SBS2003 box. For the last month or so, my printer is not longer accessible. When I checked the settings on the local computer, it has ‘File and Print Sharing’ turned off and I can’t turn it on.
Even though the group policy is correct, it won’t turn on locally. Is there an MS update to Win 7 that has caused this issue?
Steve,
Just to clarify, when I said the F & PS was correctly defined on the SBS2003 box, I meant in the group policy settings.
Hi Ben,
What about your firewall settings? Is there an exception for it? If not it will be blocked. It is entirely possible that an update blocked it again in the firewall settings.
Hi Steve, great jon you’re doing here…
I need a rescue here.. i got me a product that only works when some ports and services are opened in an AD environmet. Aint no Windows guy, all of the Windows AD crew we’ve interfaced with tends to have issues sorting this out..
I’m now here for a rescue..
The ports i needed opened are : 135, 137, 139 and 445
Services are Remote Registry Service, Remote Procedural Call (LOCATOR) service and Server services..
How do i get these stuffs (ports and services) opened via GPO?
Hi,
You don’t need to open those ports. Windows automatically opens these ports when you pick “File And Printer Sharing”. This is the best way since different configurations of windows will possibly use different ports.
The RPC service, and server services don’t need to be touched. Remote registry is the only one you need to start and set to automatic…which once file and printer sharing is open you can use Network Administrator to do that with the service management plugin.