To assign or unassign IPSec policy in Group Policy

For Active Directory-based Group Policy:

1.

Open Active Directory Users and Computers

2.

In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.

Where?

Active Directory Users and Computers [DomainControllerName.DomainName] > Domain  > OrganizationalUnit  > ChildOrganizationalUnit... 

3.

Click Properties, and then click the Group Policy tab.

4.

Click Edit to open the Group Policy object that you want to edit. Or, click New to create a new Group Policy object, and then click Edit.

5.

In the Group Policy console tree, click IP Security Policies on Active Directory.

Where?

PolicyName [ComputerName] Policy > Computer Configuration > Windows Settings > Security Settings > IP Security Policies on Active Directory

6.

In the details pane, right-click the policy that you want to assign, and then click Assign. To unassign the currently assigned policy, right-click the policy, and then click Unassign.

For local computer policy:

1.

Click Start, click Run, type MMC, and then click OK.

2.

In MMC, click File, click Add/Remove Snap-in, and then click Add.

3.

Click Group Policy, and then click Add.

4.

Click Finish, click Close, and then click OK.

5.

In the Group Policy console tree, click IP Security Policies on Local Machine.

Where?

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > IP Security Policies on Local Machine

6.

In the details pane, right-click the policy that you want to assign, and then click Assign. To unassign the currently assigned policy, right-click the policy, and then click Unassign.

 Important

An IPSec policy might remain active even after the IPSec policy or Group Policy object to which it is assigned has been deleted. Therefore, you should unassign the IPSec policy before you delete either the policy or the Group Policy object. To prevent problems, use the following procedure:

1.

Unassign the IPSec policy in the Group Policy object.

2.

Wait 24 hours to ensure that the change is propagated.

3.

Delete the IPSec policy or Group Policy object.

If you delete the IPSec policy or Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned might treat the IPSec policy as if it cannot be located and continue to use a cached copy.

Top of pageTop of page

Note

To start Active Directory Users and Computers, open a Remote Desktop Connection to either a Windows 2000 domain controller or a member server that has Windows 2000 Administration Tools installed. You must log on to the server as a domain administrator in order to complete this procedure.

You cannot administer Active Directory-based IPSec policy from a computer running Windows XP Home Edition.

To define Active Directory-based IPSec policy, you must have Group Policy administrative permissions. To manage local or remote IPSec policy for a computer, you must be a member of the Administrators group on the local or remote computer.

The settings will take effect the next time Group Policy is refreshed.

If a policy is currently assigned and you assign a new policy, the currently assigned policy is automatically unassigned.

You cannot assign a policy from the IP Security Policies on Active Directory snap-in, but can only configure policy. To assign policy for Active Directory containers, you must use the IP Security Policies on Active Directory within the Group Policy snap-in.

If you need to disable IPSec for only a specific computer, you can disable the IPSEC Services service on that computer.

Top of pageTop of page

Related Topics

Assigning IPSec Policy

Add or edit IPSec policies


Top of pageTop of page