Re: IPSec policy How to remove it?

• Previous message: Dmitrii Zakharov [MSFT]: "Re: RPC_C_IMP_LEVEL_IMPERSONATE does not work beyond machine boudaries"
• In reply to: David Beder [MSFT]: "Re: IPSec policy How to remove it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 25 Nov 2003 07:18:06 +0100

Thank you for your answer. I will try to reproduce the scenario. I am
looking for a general solution to undo a very bad Domain Policy who make the
communication impossible between a domain member and the domain controllers.
There are some parameters in the GPO who if they are wrong they make the
communication impossible. IPSec are only a exemple. Another exemple is if
you deny to everyone the right to acces this computer from the network or
deny to everyone the right to log on locally. This kind ok very bad settings
is very difficult to undo and I am looking to a general solution to remove
domain security policy to make the computer work. Leaving the domain to join
a workgroup is not a solution because some security settings are still
persistent. Modify the local policy is not a solution when a domain policy
is implemented with bad parameters. If you have a method to modify the
registry I am very interested. May be this solution can help me in the
future.
"David Beder [MSFT]" <dbeder@online.microsoft.com> a écrit dans le message
de news: #PdlpBmsDHA.1756@TK2MSFTNGP09.phx.gbl...
> Unfortunately, win2k gp interactions aren't as refined as in win2k3.
> There are a few things you can do to clean up the issue by deleting
various
> registry keys but I'd first try the following solution.
> 1) in the OU, assign the client policy
> 2) on the aflicted servers, set the ipsec service to disabled
> 3) join the servers to the new OU to get the new client policy aplied,
> overwriting the server policy (you might want to use secedit to force a
> refresh just to make sure)
> 4) set the ipsec service back to it's original autostart setting
> 5) unassign the client policy in the OU
> 6) use secedit to force a policy referesh on the servers or just reboot
them
>
> If this doesn't seem to work let me know and I'll walk you through some of
> the registry whacking stuff, but even then it'll probably still require
> steps 1 and 5.
>
> As for why the machines won't communicate to each other in the first
place,
> the usual cause is that the Server policy requires kerberos as an
> authentication mechanism. For kerberos authentication, communication with
> the DC is required and you get into a circular argument.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Ion Marculescu" <ionm@bluewin.ch> wrote in message
> news:Ovws4AUsDHA.2060@TK2MSFTNGP10.phx.gbl...
> > I make a test today with 2 computers in a OU. I activate the IPSec
Secure
> > the server (Require security) in a GPO link to one OU. Result. Both
> > computers are unable to communicate with each other. I understand that
the
> > communication is impossible with domain controllers who has no IPSec
> policy
> > but I cannot understand why they cannot communicate one with the other.
> Now
> > I cannot reverse. I remove the policy in the domain but the 2 computers
> are
> > not able to communicate with the DC. I try to modify the local policy
> > without no result. I make computers part of a workgroup. Policy still in
> > function. I cannot remove this IPSec Policy. I know that to reverse
> security
> > parameters you must make a policy with other parameters, It is not
enough
> to
> > remove the policy. I try to apply the template setup security with
secedit
> > without result. How to remove the IPSec policy? How to restore the
> security
> > parameters on a computer who is now part of a workgroup and remove IPSec
> > policy who was applied when it was part of a domain and make this
computer
> > work?
> > Some years ago I had a similar problem with a bad Policy implemented in
> the
> > domain and even when you configure the computer part of a workgroup the
> > security parameters continue to apply and the computer is out of
function.
> I
> > think that it must be possible to reset the security parameters on a
> > computer in such a situation.
> >
> >
>
>

• Previous message: Dmitrii Zakharov [MSFT]: "Re: RPC_C_IMP_LEVEL_IMPERSONATE does not work beyond machine boudaries"
• In reply to: David Beder [MSFT]: "Re: IPSec policy How to remove it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IPSEC Failing (Secure Server) ... Troubleshooting IPSec ... exchanges by enabling Audit Policy, which causes security events to be ... logged in the security log of the Event Viewer. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... (microsoft.public.windows.server.networking) Re: OU Security - best setup? ... configure the Domain Security Policy to use password complexity as poor passwords are ... Pro computers however can use ipsec and domain controllers must be exempt from ipsec ... > restrict what users can ... (microsoft.public.win2000.security) RE: Access to well-known ports on Win2K ... IPSEc does not provide security at the user level; ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > TCP/IP Filtering does not provide port level security at the ... (Focus-Microsoft) Re: Windows 9x clients authentication ... configuring the lan manger authentication level to be "send ntlmv2 responses ... That is a security option under security settings/local ... The only really secure method would be to use ipsec "require" policy on all ... (microsoft.public.win2000.security) Re: Cant ping my XP Pro laptop ... You'll see a node for "IP security" policy, make sure no IPSec ... > Look in Properties for TCP/IP, Advanced, Options, IP Security, Properties. ... (microsoft.public.windowsxp.security_admin)