Assign or unassign IPSec policy in Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To assign or unassign IPSec policy in Group Policy

Open Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.

Where?
- Active Directory Users and Computers [DomainControllerName.DomainName]/Domain/OrganizationalUnit/ChildOrganizationalUnit...
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object that you want to edit. Or, click New to create a new Group Policy object, and then click Edit.
In the Group Policy console tree, click IP Security Policies on Active Directory.

Where?
- PolicyName [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/IP Security Policies on Active Directory
In the details pane, click the IPSec policy that you want to assign or unassign, and then do one of the following:
1. To assign the policy, click the Action menu, and then click Assign.
2. To unassign the policy, click the Action menu, and then click Unassign.

Click Start, click Run, type MMC, and then click OK.
Click File, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
Click Finish, click Close, and then click OK.
In the Group Policy console tree, click IP Security Policies on Local Computer.

Where?
- Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/IP Security Policies on Local Computer
In the details pane, click the IPSec policy that you want to assign or unassign, and then do one of the following:
1. To assign the policy, click the Action menu, and then click Assign.
2. To unassign the policy, click the Action menu, and then click Un-assign.

Important

An IPSec policy might remain active even after the IPSec policy or Group Policy object to which it is assigned has been deleted. Therefore, you should unassign the IPSec policy before you delete either the policy or the Group Policy object. To prevent problems, use the following procedure:

Unassign the IPSec policy in the Group Policy object.
Wait 24 hours to ensure that the change is propagated.
Delete the IPSec policy or Group Policy object.

If you delete the IPSec policy or Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned might treat the IPSec policy as if it cannot be located and continue to use a cached copy.

Notes

To manage Active Directory-based IPSec policy, you must be a member of the Domain Admins group in Active Directory, or you must have permission to edit Group Policy objects (for information about Group Policy object editing, see Related Topics). To manage local or remote IPSec policy for a computer, you must be a member of the Administrators group on the local or remote computer. For more information, see Default local groups and Default groups.
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
You cannot administer Active Directory-based IPSec policy from a computer running Windows XP Home Edition.
The settings will take effect the next time Group Policy is refreshed.
If a policy is currently assigned and you assign a new policy, the currently assigned policy is automatically unassigned.
You cannot assign a policy from the IP Security Policies on Active Directory console; you can only configure policy. To assign policy for Active Directory containers, you must use IP Security Policies on Active Directory within the Group Policy console.

Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.