Configure IPsec OUs

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Three organizational units (OUs) are used for the application of Group Policy objects (GPOs). There will be a boundary OU for computers with NAP exemption certificates that request, but do not require, that incoming communications authenticate with a health certificate. There will be a secure OU for computers running Windows Vista®, Windows Server® 2008, Windows 7, or Windows Server 2008 R2 operating system, and a secure OU for computers running Windows XP with Service Pack 3. Computers in the secure OUs will require that incoming communications are authenticated with a health certificate.

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure OUs for NAP with IPsec enforcement

Use the following steps to create OUs for use with NAP and the IPsec enforcement method.

To create OUs in Active Directory

1. On a domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, right-click the domain name (for example, Woodgrovebank.local), point to New, and then click Organizational Unit.

3. Under Name, type Vista IPsec Secure, and then click OK.

4. In the console tree, right-click the domain name (for example, Woodgrovebank.local), point to New, and then click Organizational Unit.

5. Under Name, type XP IPsec Secure, and then click OK.

6. In the console tree, right-click the domain name (for example, Woodgrovebank.local), point to New, and then click Organizational Unit.

7. Under Name, type IPsec Boundary, and then click OK.

8. Close the Active Directory Users and Computers console.