• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

I just installed NIS2008 on a Vista SP1 machine, which is joined to a WS2003 domain.

What I find is that when I'm logged into a local-only account that has admin privs on the machine in question, everything in NIS works normally. I get popups when I run a new application which allows me to accept or reject the network traffic, and rules get automatically created in the program list for the firewall, and everything's happy.

However, when I'm logged in with my domain account (which is a domain admin, and which also explicitly has local admin privs on this machine), then the firewall is a mess.

1) No popups occur ever.

2) When I run a new app, the NIS log shows that "the user, this once, opted to reject communications blah blah blah." so that I never get the option to add my apps to the firewall - in fact, what happens is the rule gets auto-added with specific types of communication permitted, but even that type of communication is explicitly rejected with the log messages above and the apps simply fail.  The only thing that works, short of disabling the firewall altogether, is to go to the program list and to change all "Auto" apps to "Allow" by hand - which of course gives them completely unfettered access.

I did find a knowledge base article which appeared to address this problem, but all it said to do was to add the domain user account to the local admins group, but since that account is already a member of that group, this was no help.

Tech support was also of no help.  In fact, the tech support guy in the chat/remote session chose to reboot my machine and cut off the session when he ran out of ideas, which I found unbelievably unprofessional.  I do have the transcript, however.

I'm hoping someone here can help me find a way to make this work, it's not feasible to not use my domain account for normal work.


Thanks,

Andy

Replies

Kudos0

Re: Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

I just installed NIS2008 on a Vista SP1 machine, which is joined to a WS2003 domain.

What I find is that when I'm logged into a local-only account that has admin privs on the machine in question, everything in NIS works normally. I get popups when I run a new application which allows me to accept or reject the network traffic, and rules get automatically created in the program list for the firewall, and everything's happy.

However, when I'm logged in with my domain account (which is a domain admin, and which also explicitly has local admin privs on this machine), then the firewall is a mess.

1) No popups occur ever.

2) When I run a new app, the NIS log shows that "the user, this once, opted to reject communications blah blah blah." so that I never get the option to add my apps to the firewall - in fact, what happens is the rule gets auto-added with specific types of communication permitted, but even that type of communication is explicitly rejected with the log messages above and the apps simply fail.  The only thing that works, short of disabling the firewall altogether, is to go to the program list and to change all "Auto" apps to "Allow" by hand - which of course gives them completely unfettered access.

I did find a knowledge base article which appeared to address this problem, but all it said to do was to add the domain user account to the local admins group, but since that account is already a member of that group, this was no help.

Tech support was also of no help.  In fact, the tech support guy in the chat/remote session chose to reboot my machine and cut off the session when he ran out of ideas, which I found unbelievably unprofessional.  I do have the transcript, however.

I'm hoping someone here can help me find a way to make this work, it's not feasible to not use my domain account for normal work.


Thanks,

Andy

Accepted Solution
Kudos0

Re: Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

Think I found a solution using this post: http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=1122#M1122.

However, unlike the claim in this post, I did have to do some logging in/logging out to the "shadow" local account to get it properly recognized as an admin account, and after logging back into the domain account, popups and rules appearing to be functioning correctly without "hidden" rejections getting applied without asking me first. :-)

The KB article on Symantec.com should probably be updated, as simply adding the domain account to the local admins group does not appear to be sufficient to solve this problem.  I really think this should be investigated for the next release so that this workaround is not required.

Message Edited by andrewsi on 07-30-2008 11:56 AM
Kudos0

Re: Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

Thanks for the additional information. I've flagged your message for a Norton Staffer to see and use the information. Watch out for someone with their name in red .....
Hugh
Kudos0

Re: Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

Hi andrewsi,

Thank you very much. Which specific KB article should be updated? We want to be sure we're communicating the issues effectively, so any information you provide is appreciated. Thanks! 

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

The document ID is as follows: Document ID: 2008042902410479

 

This KB states that all you need to do is add the domain user name to the local administrators group.  As mentioned above, this doesn't cure anything, unfortunately - you have to actually add a second, local-machine-only user account to the box, with the same name and password as the domain account.  After logging into that account at least once, and then back to the domain account, then it seems that Norton will behave correctly.


Thanks!

Andy

Kudos0

Re: Can't use NIS2008 firewall when logged in as domain admin (with local admin privs) on Vista SP1.

Thanks Andy. The team is evaluating the additional information to see if it should be included in the document.
Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation

This thread is closed from further comment. Please visit the forum to start a new thread.