Understanding the New Default IP Security Policies Container Permissions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain-based IPSec objects are stored in the IP Security Policies container in Active Directory, which is separate from the Group Policy objects (GPOs) to which the IPSec policies are applied. By default in Windows Server 2003, Active Directory restricts Read permissions on the IP Security Policies container more than in Windows 2000. In Windows Server 2003, only members of the Group Policy Creator Owners and the Domain Computers groups have Read permissions on the IP Security Policies container. The domain administrator must grant permissions to the IP Security Policies container for other delegated administrators to administer IPSec policies.
If you perform a new installation of Windows Server 2003 and create a domain controller, the domain controller will have the following new default permissions on the IP Security Policies container:
Owner: Domain Admins
Group: Domain Admins
Allow domain computers: Read only
Allow Group Policy Creator Owners: Read only
Allow Domain Admins: Full Control
When you run the Adprep tool (available in the I386 directory in the Windows Server 2003 product CD) to prepare Windows 2000 domains and forests for an upgrade to Windows Server 2003, it will change the permissions on the IP Security Policies container to these new settings, unless you have already changed the default permissions in Windows. When you create new objects in the IP Security Policies container, those objects inherit the permissions of that container. Upgrading from Windows 2000 will not modify the permissions on existing IPSec policy objects.
Due to the more restrictive permissions in Windows Server 2003, a member of the Domain Admins group must explicitly allow the assignment of an IPSec policy to child domains within a forest by enabling child domain computers to read the IP Security Policies container in the directory. For these computers to retrieve domain-based IPSec policy from Active Directory, the Local System account for each computer must have Read permissions on the IP Security Policies container. If computer accounts in child domains must read a parent domain-based IPSec policy, you must modify the permissions on the IP Security Policies container to allow this.
Make sure to carefully control Modify access to the IP Security Policies container. Do not assign specific permissions for individual IPSec policies. The IPSec policies are a collection of related directory objects, some of which can be shared between policies. Accordingly, you should control permissions on the IP Security Policies container itself.
An IPSec policy administrator typically has Write access to all IPSec policies. You can restrict who can create and modify GPOs so that only authorized individuals can assign a domain-based IPSec policy. Make sure to investigate these permissions and set them as needed for your environment.
Standard delegation tools cannot be used to delegate permissions to administer IPSec policies. Instead, domain administrators must use the Active Directory Service Interfaces (ADSI) Edit tool for this purpose. ADSIEdit is a Microsoft Management Console (MMC) snap-in that domain administrators can use to edit objects in the Active Directory database. When domain administrators delegate permissions to others to administer IPSec policies, the delegated administrators must have Full Control permissions to all IPSec policy objects in the IP Security Policies container. After an IPSec administrator creates an IPSec policy, a member of the Group Policy Owner Creators group or other delegated owner of the GPO can assign the IPSec policy to the appropriate GPOs.
Warning
To modify access control lists (ACLs) on the IP Security Policies container, domain administrators should use the tools that are provided with the Windows 2000 or Windows Server 2003 operating system CD. When domain administrators modify ACLs on the IP Security Policies container, they must specify that all modifications are also propagated to all child objects. Incorrect modification of the ACLs on the IP Security Policies container, failure to propagate modifications to the child objects of this container, or both, can result in the failure of IPSec policy settings to be properly applied.
ADSIEdit is one of the Windows Support tools included on the Windows 2000 and Windows Server 2003 operating system CDs. You can install these tools by running the Support Tools Setup program, Suptools.msi, from the \Support\Tools folder.
For more information about permissions for the IPSec Policies container, see article 329194, "IPSec Policy Permissions in Windows 2000 and Windows Server 2003" in the Microsoft Knowledge Base at https://go.microsoft.com/fwlink/?LinkID=106552.