I've written a script to check the members of the Remote Desktop Users group on the computers in our domain.  I'm using the same method I've seen in every sample script I've looked at that accesses the SAM database.

                          Set objGroup = GetObject("WinNT://computerxyz/Remote Desktop Users,group")

I've encountered problems with the computers that have the Windows Firewall enabled.  Through research, I found that the command uses port 445 to accomplish the task.  I know I can write a GPO to enable 445 for the domain profile only, but I'm concerned that port 445 has been exploited in so many viruses.  Even if I limit port 445 to the domain profile, I'm still opening a door for potential issues.  Is there a more secure way to accomplish

Hi Ken,

This isn't really a scripting question per se. If you need to access remotely, then you need to access somehow through the firewall. You should be able to configure the firewall by using a correct GPO. Just having the port open doesn't mean the computer is vulnerable--access is still governed by security policy (such as group membership, etc.).

Bill

The ports required in a domain must be open by default to allow AD to work. AD is ADSI.  GetObjecvt ("WInNT://... is ADSI.

I suspect you are misinterpreting things or your error.

You say you have problems but fail to share the full error message.  If you have access denied it is not likely the firewall.  Authentication issues can block you due to clock skew errors.

If you are blocking SMB traffic on port 445 for some reason (which I wouldn't recommend, but that's your call), you can try using PowerShell over WSMAN (or WMI, though it uses DCOM / RPC and might be on your black list of standard ports as well).

Let me be more specific.  The script is running within the domain.  No hardware firewall is involved, only the Windows firewall.  When the GetObject encounters a computer with the Windows firewall active and using default settings, it fails.  The host cannot be found.  The other computer does not reply because port 445 is blocked for the Windows firewall.  If I turn off the domain profile on the Firewall, the script succeeds.  Rather than turn it off entirely, I wrote a GPO rule to allow port 445 for the domain profile only and that allows the script to run.  445 is the issue.  However, when I researched this, I found that Conficker and many other viruses spread by use of port 445 and it was recommended that 445 be disabled.  This was the advice of virtually every site I looked at.

I posted the question in the scripting section because I'm looking for an alternate method to accomplish this in my script.

You can't disable port 445 and use an ADSI script. Yes, blocking incoming connections to port 445 will prevent malicious code from connecting remotely, but It will also disable remote administration to that computer. It's kind of like saying, "I want to block all web sites, but then people can't get to any web sites."

Alternatively, you can use group policy and use restricted groups. That may be the most appropriate solution in your scenario.

Bill

It sounds different than that even.  It sounds like some machines work and some don't.  This sounds like the machines are not properly joined to the domain.  Joining the domain on Vista and later opens the firewall ports if no Group Policy is overriding.  Only registry and WMI and a few others are not opened.  In many setups I have seen 445 is open if the machine is Windows 7 at the time we join the domain.  I have not set up the firewall on GP on this domain. The domain profile will be selected and I am sure that enables remote management.

I think a little more investigation here might find the answer. Start by checking a machine and be sure the firewall is set to 'Domain Profile". I would then check GP using GP results to see if a policy is being applied or failing.

Are there any routers in between?  How about bridges?  These can both act like firewalls. Same with a VPN attachment.

I've done my testing on a second Windows 7 computer on my desk.  If the firewall is enabled (manually, not by GPO) with default settings, the script tells me that the host cannot be found.  If I turn off the domain profile in the firewall, the script is able to retrieve the members of the local Remote Desktop Users group.  If I turn the domain profile back on and apply a GPO to enable port 445 on that computer, the script runs properly.  Both computers are connected to the same switch in the data center next door.

Try to reread your statement.  It does not make complete sense.

What does "Turn off the domain profile.  You cannot turn off  profile.  You can turn OFF the firewall.  You cannot turn off the profile.  YOU can, under some circumstances change the profile.

GP has a setting for the firewall that says "open management ports".  This wants to be set. You want all management ports open.  This will override any config errors on the client.

Admin policies:

Policy Setting Comment
Windows Firewall: Allow inbound remote administration exception 

You have to assume that someone enabled the Firewall for a reason and not just blindly disable a firewall, even if it was ill conceived as to why.

However, you should be able to enable a specific port and limit the scope that needs access to it from your management machine via the GPO.  This will allow the Firewall to remain up and allow access to that port from the specific IP of the box limiting your perceived exposure level.

You have to assume that someone enabled the Firewall for a reason and not just blindly disable a firewall, even if it was ill conceived as to why.

However, you should be able to enable a specific port and limit the scope that needs access to it from your management machine via the GPO.  This will allow the Firewall to remain up and allow access to that port from the specific IP of the box limiting your perceived exposure level.

C'mon - on XPSP3 and later the Firewall is enabled by default.  It is not optional and no one enables it.  Adding a machine to a domain opens some ports.  Enabling file and printer sharing opens other ports.  The guidance on enabling certain remote functions was, at Vista, to enable file sharing.  THat was before all of GP was set up.  Now most functions are enable when joining the domain with some exceptions.

No - the firewall is always enabled in Vista and later.

To restate the obvious: If you want to administer the machine remotely, then you have to allow the machine to be administered remotely. The firewall rule David Wyatt mentioned (file and printer sharing SMB-in) needs to be in place if the firewall needs to be enabled.

Bill

There are three profiles in the firewall:  domain, home or work, and public.  You can turn the profiles on or off, or configure them independently of one another.  I can turn off the domain firewall for when my notebook is on the office network, but leave the public on for when I travel.  This is what I mean.

I'm relatively new in the office.  I don't know why some computers have the firewall on and others do not.  There may or may not be a reason.  It could be nothing more than who built the computer.

The debate over to use or or not use the firewall on the domain aside:  the upshot of what I'm hearing is that there is no other means to getting the information I'm needing.  Agreed?

There are three profiles in the firewall:  domain, home or work, and public.  You can turn the profiles on or off, or configure them independently of one another.  I can turn off the domain firewall for when my notebook is on the office network, but leave the public on for when I travel.  This is what I mean.

I'm relatively new in the office.  I don't know why some computers have the firewall on and others do not.  There may or may not be a reason.  It could be nothing more than who built the computer.

The debate over to use or or not use the firewall on the domain aside:  the upshot of what I'm hearing is that there is no other means to getting the information I'm needing.  A

This really isn't a scripting issue but a computer/GPO configuration issue. It is preferred to put the needed firewall configurations in a GPO that applies to the computers in question.

Bill