All Active Directory based IPSec policies are stored as ipsecPolicy
objects in CN=IP Security,CN=System,DC=<domain>. If you decide to assign
one of these policies to the GPO, a link is created and stored within
the GPO as the ipsecOwnersReference attribute of the ipsecPolicy object
in CN=IPSEC,CN=Windows,CN=Microsoft,CN=Machine,CN={GUID for
GPO},CN=Policies,CN=System,DC=<domain>. If your admin has delegated you
the permissions to modify the GPO, you can actually modify the IPSec
policy assignment. However, in order to create/import IPSec policies,
you must have necessary permissions to the IP Security container. By
default, only the Domain Admins group has the required permissions.Designing a Managed Environment book of the Windows Server 2003 Deployment Kit says: "IPSec permissions cannot be delegated by using standard delegation tools, but instead require the use of the Active Directory Service Interfaces (ADSI) Edit tool." I don't fully follow this and don't have test environment available right now. I'd think that you can use the ACL editor of the Active Directory Users and Computers for assigning the permission. The delegation of control wizard does not have IPSec as a standard task. Neither can you use GPMC for performing this type of delegation. See kb article 329194 for the default permissions. I don't know how to use .inf files for importing/exporting the actual IPSec policies... After the permissions have been set, you should be able to import the desired policy. HTH Mika -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Carerros Sent: 15. huhtikuuta 2004 19:21 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Importing IPSEC Policies into an OU What I have is an exported .ipsec file (that was created on a local workstation). It contains the tested and fully functional IPSEC policy that I was advised to implement so my plan was to export the policy from the local machine and then import it into the GPO. I am the GPO administrator and I can change the IPSEC stuff, I'm just not able to import the .ipsec file in the security area. I was just trying to figure out if you were able to conduct that type of import on a GPO or if that only works on local workstations (which doesn't make sense) or the guy who set up my permissions may have just made a mistake when he granted me the admin rights to the GPO. I guess I can ask the admin to recheck my privileges on the GPO to ensure that he has me set with the IPSEC part, but that doesn't seem that plausible of an option considering he said that he granted my privileges using the delegate administration feature. Is there a big difference between using the .ipsec file instead of the .inf file? Thanks, chuck Darren Mar-Elia wrote: > Charles- > When you say you're importing IPSEC, I assume this means you have an > .inf file that you've created that you importing into an OU-linked GPO? > The ability to make changes to a GPO are governed by the permissions on > the GPO object itself, which is not stored in the OU but rather under > the System\Policies container in your domain (and also in SYSVOL). If > you view the permissions on the GPO object itself, you should be able to > see if you have modify rights on that GPO. If you don't, you'll need to > get the owner of that GPO to grant you those rights explicitly for that > GPO. > > Darren > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Charles > Carerros > Sent: Thursday, April 15, 2004 6:49 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Importing IPSEC Policies into an OU > > Hey all, > > This might seem kinda odd and maybe I'm just doing something wrong. > > But I tried to import an IPSEC policy (that basically just does port > blocking) into and AD but I keep getting rejected due to permissions > (apparently). > > Now I don't have Domain Admin rights to the domain, however I have been > delegated complete authority to the OU that I'm working in. Does anyone > know if there are additional issues dealing with the importing of IPSec > policies at OU levels that I might be missing? > > Thanks, > > Chuck > > -- > Charles D. Carerros > Systems Administrator > Information Technology Office > College of Letters and Science > University of Wisconsin -- Milwaukee > [EMAIL PROTECTED] > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
