Assigning IPSec policy

IPSec policy can be created and modified using the IP Security Policies snap-in that is available in Microsoft Management Console (MMC). It can manage policy centrally (for Active Directory clients), locally (on the computer on which you are running the snap-in), or remotely for a computer or domain. The customized console can then be saved so that it is available to you again at any time. For more information, see To start the IP Security Policies snap-in


Although you can assign IPSec policy for a computer, you cannot assign IPSec policy for Active Directory domains. To assign IPSec policy in Active Directory, you must use Group Policy. For more information, see To assign or unassign IPSec policy in Group Policy 

You can use the IP Security Policies snap-in to manage both local computer and domain policy.

Policies stored in Active Directory

A Group Policy object defines access, configuration, and usage settings for accounts and resources. IPSec policies can be assigned to the Group Policy object of a site, domain, or organizational unit. When the IPSec policy is applied to one of the Group Policy objects for the Active Directory object, the IPSec policy is propagated to any computer accounts that are affected by that Group Policy object. For more information, see Active Directory overview

When assigning an IPSec policy in Active Directory, consider the following:

The list of all IPSec policies is available to assign at any level in the Active Directory hierarchy. However, only a single IPSec policy can be assigned at a specific level in Active Directory.

IPSec policies that are configured and assigned for the domain take precedence over the local, active IPSec policy when that computer is a member of the domain.

IPSec policies that are assigned to organizational units in Active Directory take precedence over domain level policy for any members of that organizational unit.

An organizational unit inherits the policy of its parent organizational unit unless either policy inheritance is explicitly blocked or policy is explicitly assigned.

IPSec policies from different organizational units are never merged.

The highest possible level of the Active Directory hierarchy should be used to assign policies to reduce the amount of configuration and administration required.

An IPSec policy might remain active even after the Group Policy object to which it is assigned has been deleted. Because of this, you should unassign the IPSec policy before you delete the policy object. To prevent problems, use the following procedure:


Unassign the IPSec policy in the Group Policy object.


Wait 24 hours to ensure that the change is propagated.


Delete the Group Policy object.

If you delete the Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned treat the IPSec policy as if it cannot be located and continue to use a cached copy.

Group Policy backup and restore in Active Directory must also include IPSec policies to ensure consistency.

The IPSec Policy Agent on a computer running Windows XP Professional polls Active Directory for updates to the assigned IPSec policy. This polling does not detect a change in domain or organizational unit membership or the assigning or unassigning of a new policy. These events are detected when the Winlogon service polls for changes in Group Policy, which occurs by default every 90 minutes. The Winlogon service discovers these changes, notifies the IPSec Policy Agent, and the changes are applied.

For information about how to assign IPSec policy to objects in Active Directory, see To assign or unassign IPSec policy in Group Policy



The IPSec policy integration with Active Directory described here does not apply to computers running Windows XP Home Edition.

You cannot administer Active Directory-based IPSec policy from a computer running Windows XP Home Edition.

Local computer policy

Each computer running Windows XP has exactly one local Group Policy object, often called the local computer policy. In using this local Group Policy object, Group Policy settings can be stored on individual computers regardless of whether they are members of an Active Directory domain. The local Group Policy object can be overwritten by Group Policy objects associated with sites, domains, or organizational units in an Active Directory environment. On a network without an Active Directory domain (lacking a Windows 2000 domain controller), the local Group Policy object settings determine IPSec behavior because they are not overwritten by other Group Policy objects.

For information about how to assign IPSec policy locally, see To assign or unassign IPSec policy on a computer

For more information about Group Policy, see Group Policy overview

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies