Access Denied: Avoiding Unnecessary Work with IPSec

When I edit an IP Security (IPSec) policy in a Group Policy Object (GPO), the changes don't take effect unless I first delete and recreate the IPSec policy object. How can I avoid this unnecessary work?

A Windows 2000 bug causes this problem; fortunately, the bug has a simple workaround. An IPSec policy is an Active Directory (AD) object that's separate from the GPO in which you define it. To demonstrate how the bug works, create but don't assign an IPSec policy called Test in your Default Domain Policy GPO. (When you create an IPSec policy, it doesn't take effect until you right-click it and select Assign.) Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the root domain, then select Properties. Click the Group Policy tab, highlight Default Domain Policy, then click Edit. In the Group Policy window that Figure 1 shows, drill down to computer configurationwindows settingssecurity settingsip security policies on active directory. Right-click in the right pane, then select Create IP Security Policy. Edit your Default Domain Controllers Policy GPO. You'll see the new IPSec policy Test there, too. At boot up and about every 90 minutes thereafter, a Win2K computer checks AD to see whether any of the GPOs that apply to the computer have been changed—either because you've linked new GPOs to the computer's site, domain, or OU or because you've deleted relevant GPOs. If the check reveals changes, the Win2K computer reapplies group policy to apply the changes.

To determine whether a GPO has changed, Win2K checks the GPO's version number. By reapplying group policy only when changes have occurred, Win2K saves network and system resources. However, this approach causes a problem when it comes to IPSec policies. Because an IPSec policy object is separate from the GPO, when you edit an IPSec policy, Win2K doesn't update the GPO's version number. Thus, the computers to which that GPO applies miss the updated IPSec policy. To work around this problem, remember to unassign and assign the IPSec policy after you edit it. Reassigning the IPSec policy increments the GPO's version number. Also, remember to reassign the IPSec policy in any other GPOs in which you use it. Otherwise, you might think you've deployed an important security change related to IPSec in your network that never takes effect.