Create Firewall Rules with Active Directory GPO

Current work on Desktop Management software made me do this quick guide on how to open some ports for all computers in your domain via GPO.

Before we begin

Situation is simple – I have a domain informatiker.local with domain controller, and I wish to open ports 135, 139 and 445 on all my desktop machines inside domain.

Instead of going from PC to PC and doing it manually, it can be done via domain group policy.

How to open port in windows firewall via GPO

In my domain I have OU named UserPCs – inside that OU are two computers that belong to my users inside domain – Client1 and Client2. I will open new firewall ports for these two PCs via GPO.

On domain controller open Group Policy Management and right click on UserPCs (you will click on OU you wish to apply this rule to). Select – Create GPO in this domain, and Link it here…

I will name New GPO Firewall and click OK

Click on created group and select Edit

We need to navigate to Computer Configuration | Policies | Administrative Templates | Network | Network Connections | Windows Defender Profile | Domain Profile (depends to which profile your user PCs are connected to) | Select Windows Defender Firewall: Define inbound port exceptions

After Windows Defender Firewall: Define inbound port exceptions rule opens – select Enabled, read through Options and Help screen and then click on Show…

In show screen we will define our exceptions. This is how I will define mine

139 marks port I want to open, TCP means that port goes through TCP traffic, localsubnet (will be allowed), enable – rule will be enabled and SMBforDesktop… is a description of the rule.

139:TCP:localsubnet:enabled:SMBforDesktopEngine
135:TCP:localsubnet:enabled:SMBforDesktopEngine135
445:TCP:localsubnet:enabled:SMBforDesktopEngine445

After you are done – click on OK, Apply, OK and close all the windows.

Ok, let’s quickly go to my client machine (Client1) and open cmd as admin

type in

gpupdate /force

And let’s check the firewall now… All the ports that we defined are opened!

That is it, we are done.

Disclaimer