Use Netsh to Configure GPOs

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Most of the procedures in this guide use the Windows Firewall with Advanced Security user interface in the Group Policy Management Editor to create and configure settings in GPOs. The settings for GPOs for Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 can also be configured from a command prompt or a batch file by using the advfirewall context of the Netsh command-line tool. The use of Netsh was supported in earlier versions of Windows for local firewall and IPsec configuration, but Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 allow you to use the command to configure a GPO. The following procedure shows you how to configure a Netsh session to save its changes to a GPO instead of to the currently active firewall and IPsec configuration on your computer.

Important

The procedure applies only to settings for GPOs for Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. Netsh commands for earlier versions of Windows do not support saving changes to a GPO.

For more information, see Netsh Commands for Windows Firewall with Advanced Security (https://go.microsoft.com/fwlink/?linkid=111237).

Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To configure Netsh to save changes to a GPO

  1. Start a command prompt as an administrator.

  2. Start Netsh by running the following command:

    netsh
    
  3. Switch to the advfirewall context by running the following command:

    advfirewall
    
  4. Specify the GPO that the commands you run in a Netsh session should modify by running the following command:

    set store gpo=”domain.example.com\gpo_name”
    

    where domain.example.com is the name of your Active Directory Domain Services (AD DS) domain, and gpo_name is the name of the GPO you want to modify. The quotation marks are required if there are any spaces in the GPO name.

    If Netsh returns Ok, then it found and successfully connected to the GPO. The commands you enter are run against the contents of the GPO, instead of the current configuration of the local computer. This remains in effect until you change the output with another set store command or you end the Netsh session.

  5. Run the commands that configure the rules and settings required by your design.