Re: IPSec and Group Policy
From: Bill Tomlinson (BT_at_royce.biz)
Date: 07/18/03
- Next message: Herb Martin: "Re: About the Redbutton."
- Previous message: Herb Martin: "Re: tar or zipping files to which you have no explicit access?"
- In reply to: Seaver: "RE: IPSec and Group Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jul 2003 11:40:57 -0700
Seaver,
Thanks for your advice, I was able to resolve the problem by linking the
group policy to the ou where the computer/workstations are memebers.
My situation has led me to believe that the ipsecmon and netdiag IPSec
verbose tests both require some Administrator level of permission to show
the IPSec policy that may be active. It is my assumption that in order to
show the IPSec policy in action between two client computers, that both have
standard user's logged in, is to use some type of network monitor such as
the SMS provides.
I am always a bit concerned when something only appears to work for
adminitstrators.
Thanks again
""Seaver"" <seaverr@online.microsoft.com> wrote in message
news:eUMVIkPTDHA.1636@cpmsftngxa06.phx.gbl...
> Dear Bill,
>
> Thank you for your posting.
>
> According to your post, I understand that IPSec policy only works in
> Administrator accounts.
>
> If I have misunderstood your concern please don't hesitate to let me know.
>
> 1. When assigning an IPSec policy in Active Directory, please ensure that
> the following factors have been considered:
>
> a. IPSec policies assigned to a domain policy will override any active,
> local IPSec policy only when that computer is connected to the domain.
>
> b. IPSec policies assigned to an organizational unit will override an
IPSec
> policy assigned to the domain policy, for any member computers of that
> organizational unit. The IPSec policy assigned to the lowest-level
> organizational unit will override an IPSec policy assigned to a
> higher-level organizational unit, for any member computers of that
> organizational unit.
>
> I suggest you temporarily unassign all the IPSec policy, and then assign
> only 1 policy to test the situation.
>
> 2. If problem still remains, we need to check the results of the Phase One
> and Phase Two exchanges by enabling Audit Policy, which causes security
> events to be logged in the security log of the Event Viewer.
>
> Please follow the instructions in the following link to enable Audit
> Policy:
>
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.a
> sp#heading3
>
> For further troubleshooting steps, since the instructions are lengthy,
> please refer to the following article:
>
> 257225 Basic IPSec Troubleshooting in Windows 2000
> http://support.microsoft.com/?id=257225
>
> More Information
> ===========
> 265112 IPSec and L2TP Implementation in Windows 2000
> http://support.microsoft.com/?id=265112
>
> Hope them help!
>
> Sincerely,
>
> Seaver Ren
>
> Product Support Services
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
>
- Next message: Herb Martin: "Re: About the Redbutton."
- Previous message: Herb Martin: "Re: tar or zipping files to which you have no explicit access?"
- In reply to: Seaver: "RE: IPSec and Group Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
