Microsoft KB Archive/923785

From BetaArchive Wiki
Knowledge Base


An IPsec policy is not applied to a client computer when you apply a Group Policy object

Article ID: 923785

Article Last Modified on 12/3/2007



APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server




SYMPTOMS

When you apply a Group Policy object (GPO) to a client computer, and the GPO contains an Internet Protocol security (IPsec) policy setting, the IPsec policy is not applied.

Additionally, nothing is written to the registry in the following scenario:

  • You delete the following registry keys:

    HKLM\SOFTWARE\Policies\Microsoft\Windows\IPsec\GPTIPSECPolicy
    HKLM\SOFTWARE\Policies\Microsoft\Windows\IPsec\Policy\Cache

  • You restart the computer. Or, you run the gpupdate /force command on the computer.


CAUSE

This problem occurs if the computer account to which you apply the Group Policy object does not have Read permissions and Apply Group Policy permissions for all child objects.

RESOLUTION

To resolve this problem, follow these steps:

  1. On the domain controller, click Start, click Run, type dsa.msc, and then click OK.
  2. Right-click the domain object, and then click Properties.
  3. Click the Group Policy tab, and then click Open.
  4. Double-click Group Policy Objects.
  5. Click the Group Policy object that contains the IPsec policy.
  6. Click the Delegation tab.
  7. In the Groups and users area, click the computer account that you want to apply the IPsec policy to, and then click Advanced.
  8. In the Security Settings dialog box, click Advanced.
  9. In the Permission entries area, click the computer account that you want to apply the IPsec policy to, and then click Edit.
  10. Click to select the Allow check boxes for the following permissions:
    • Read Permissions
    • Apply Group Policy
  11. In the Apply onto box, select This object and all child objects.
  12. Click OK three times.


MORE INFORMATION

For more information about how to use the Group Policy Management Console, visit the following Microsoft Web site:

For more information about Internet Protocol security, visit the following Microsoft Web site:

Keywords: kbgpo kbipsec kbtshoot kbprb KB923785