Assigning IPSec policy
IPSec policy can be created and modified using the IP Security Policies snap-in that is available in Microsoft Management Console (MMC). It can manage policy centrally (for Active Directory clients), locally (on the computer on which you are running the snap-in), or remotely for a computer or domain. The customized console can then be saved so that it is available to you again at any time. For more information, see To start the IP Security Policies snap-in
You can use the IP Security Policies snap-in to manage both local computer and domain policy.
Policies stored in Active Directory
A Group Policy object defines access, configuration, and usage settings for accounts and resources. IPSec policies can be assigned to the Group Policy object of a site, domain, or organizational unit. When the IPSec policy is applied to one of the Group Policy objects for the Active Directory object, the IPSec policy is propagated to any computer accounts that are affected by that Group Policy object. For more information, see Active Directory overview
When assigning an IPSec policy in Active Directory, consider the following:
The IPSec Policy Agent on a computer running Windows XP Professional polls Active Directory for updates to the assigned IPSec policy. This polling does not detect a change in domain or organizational unit membership or the assigning or unassigning of a new policy. These events are detected when the Winlogon service polls for changes in Group Policy, which occurs by default every 90 minutes. The Winlogon service discovers these changes, notifies the IPSec Policy Agent, and the changes are applied.
For information about how to assign IPSec policy to objects in Active Directory, see To assign or unassign IPSec policy in Group Policy
Local computer policy
Each computer running Windows XP has exactly one local Group Policy object, often called the local computer policy. In using this local Group Policy object, Group Policy settings can be stored on individual computers regardless of whether they are members of an Active Directory domain. The local Group Policy object can be overwritten by Group Policy objects associated with sites, domains, or organizational units in an Active Directory environment. On a network without an Active Directory domain (lacking a Windows 2000 domain controller), the local Group Policy object settings determine IPSec behavior because they are not overwritten by other Group Policy objects.
For information about how to assign IPSec policy locally, see To assign or unassign IPSec policy on a computer
For more information about Group Policy, see Group Policy overview