Re: IPsec rules per User

Hi,

When Vista gained multiple local group policies I asked whether
these would only be for user policies, or if computer policies would
in cases be included. I was thinking of the usefulness of having a
different firewall config for the kids, for guests, for the spouse, etc..
Similarly in earlier days I have asked about a sort or reverse loopback,
where some computer policies could be applied based on the user
that logged in to trigger GPO application (this would directly address
what you are after). In both cases just mentioned I have met with
no joy, but have found some in MS Windows dev that see the
flexibility it could bring. In short, it is not there today, and last that
I have heard will not be in Longhorn/Vista either.

I hope that you are securing the script/code of the scheduled task well,
since it is otherwise trivial to elevate privileges by simply replacing the
script/code file which you have set to run as LocalSystem.

Roger

<boomboom999@xxxxxxxxx> wrote in message
news:1151601865.648717.299700@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Steven Umbach a écrit :

That is not possible in Windows 2000/2003/XP. Ipsec policies are only
machine
aware [computer configuration] and only authenticate to the other
computer. ---
Steve


<boomboom999@xxxxxxxxx> wrote in message
news:1151594376.896576.26200@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Is it possible to create a GPO that assign IPSec rules per user and not
per computer?

Thank you


We have found a way to do that with a bit of scripting.
The main idea is the following.

1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.

2. Create one GPO that covers all computers that need IPSec

3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:

if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.

4. Assigns users to appropriate groups.

Done.

:)


.

Relevant Pages

  • Re: Group Policy - Computer Policy - When does this get applied?
    ... Computer policies are applied when the machine boots and then ... most policies (a GPO is a collection of policies) are either User ... User polices are applied at login by a user account to which the GPO ... You may want to repost in one of the Group Policy newsgroups, ...
    (microsoft.public.win2000.security)
  • Re: Group policies not applied
    ... Have you used RSOP to check whether the computer ... user portion has any GPO applied? ... Or which is the winning GPO for them? ... All I can tell is that I ran rsop.msc and saw that computer policies were ...
    (microsoft.public.windows.group_policy)
  • Re: Computers in OU
    ... HorizonUser wrote: ... Sorry if this sounds stupuid but I need to be able to have the same computer in more than one OU? ... There are computer policies I will need to be implemented to certain pc's that I don't want on others but still sharing certain policies in other places!!? ... and You can place ACls on the GPO to prevent it from applying to some objects. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricting Local Admin Group w/GPO
    ... different GPO that was created as a security template to ... give file system rights to users (this keeps us from ... GPO was written, ... The computer policies ...
    (microsoft.public.windows.group_policy)