Duplicated Firewall rule GUID when Copy\Paste GPOs

Symptoms

Consider the following scenario:


1. You create a GPO, say, GPOv1; configured Several Inbound, Outbound and Connection Security Rules under Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
2. On the DC, in the GPMC.msc console, under Group Policy Objects folder, right click GPOv1, Press Copy
3. Right click Group Policy Objects folder, Press Paste
4. There will be a Copy of GPOv1, rename it to GPOv2, Link it to same OU as GPOv1 linked to
5. Right click GPOv2 to Edit, locate the existing rules under Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security and rename them, modify them
6. Create several new rules under Inbound, Outbound and Connection Security Rules as well, Close the GP Editor window
7. On the client, run gpupdate /force
8. Confirm both GPOv1 and GPOv2 are both applied


In this scenario, You may expect a combination of all rules from both GPOv1 and GPOv2, however, only rules of GPOv1 and new rules of GPOv2 are displayed in client wf.msc console; those renamed rules under GPOv2(inherited from GPOv1) are missing.
If we go back to GPMc.msc, adjust the link order. Move the GPOv2 up.Run gpupdate /force on the client again, we will see only GPOv2 rules are applied then but those of GPOv1 ain't.

Cause

Each firewall rule policy is represented by one sub-key under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules
The GUID is the unique ID for a single rule. The inherited Firewall Rules were not given new GUIDs, they were the same as the ones in original GPO.

If there are two group policies having the firewall rule of the same GUID, the later applied one will override the previous one.

Workaround

Workaround 1:

Copy\Paste GPOs, but delete those inherited Firewall rules and create new ones


Workaround 2:

Do not Copy\Paste GPOs for applying Firewall rules, Create GPOs one by one

Workaround 3:

Use the Group Policy Management Editor, point to the
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\<LDAP:object of the original copy>
And Right Click to Export the policy to an wfw file and then using that as source for importing that to a separate destination policy without copy/paste the GPO.



Registry Key Information

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules
Propiedades

Id. de artículo: 2761165 - Última revisión: 24 sept. 2012 - Revisión: 1

Comentarios