IPSec GPO -- Cannot Save

Tutorials Win: Microsoft Windows Forum

Sorry, had trouble finding a GPO group. I'm interested in applying an IPsec
policy via GPO, but have found that I cannot save any changes. I had assumed
the new policy options in Vista/2008 would allow multiple Active Directory
IPsec policies, unlike the 2003/XP policy options, and allow to save them as
any other GPO. I was wondering if the saving issues I'm having (if so) are
permissions related, as I am not a domain admin (only OU administrator), and
if so, is there any way to add specific targetted permissions to my account
which would allow saving of the IPSec GPO to my OU. Thanks all.
Top

Re: IPSec GPO -- Cannot Save by Herb

Herb
Tue Jun 17 09:18:51 PDT 2008


"MichaelFaulkner" <MichaelFaulkner@discussions.microsoft.com> wrote in
message news:BE00775A-CA88-48A4-A905-FEE1E21C9B24@microsoft.com...
> Sorry, had trouble finding a GPO group.

This is cool. GPOs are part of AD.

You can usefully crosspost the same message (not two different
ones) to the IPSec group to probably.

> I'm interested in applying an IPsec
> policy via GPO, but have found that I cannot save any changes.

Are you editing one of the existing GPOs? (e.g., default domain
gpo?)

Are the admin? Can you create a new one?

What tool are you using?

What error message do you get (be precise)...

> I had assumed
> the new policy options in Vista/2008 would allow multiple Active Directory
> IPsec policies, unlike the 2003/XP policy options, and allow to save them
> as
> any other GPO.

GPOs have always allowed MANY IPSec policies but only one
IPSec policy can be active on a machine at any one time.

It can have as many rules, filters, actions as you wish.

> I was wondering if the saving issues I'm having (if so) are
> permissions related,

Likely. Or indirectly as Authentication issues if this is on
the domain (and not the Local GPO.)


> as I am not a domain admin (only OU administrator), and
> if so, is there any way to add specific targetted permissions to my
> account
> which would allow saving of the IPSec GPO to my OU. Thanks all.

Yes. A GPO is an AD object and so can have permission that allow
you to delegate or be delegated control over it. (They are roughly
similar to NTFS file permissions.)



Top

Re: IPSec GPO -- Cannot Save by MichaelFaulkner

MichaelFaulkner
Tue Jun 17 09:45:01 PDT 2008

Thanks. In the Group Policy Management Editor, trying to create a new IPSec
policy in our active directory under my OU, I receive an access denied
80070005 -- sounds like a permissions error to me. Just tryning to determine
what and where the policy is trying to be applied and writing to so I can
request opening of AD permissions if possible, and if I can apply just to my
OU.


"Herb Martin" wrote:

>
> "MichaelFaulkner" <MichaelFaulkner@discussions.microsoft.com> wrote in
> message news:BE00775A-CA88-48A4-A905-FEE1E21C9B24@microsoft.com...
> > Sorry, had trouble finding a GPO group.
>
> This is cool. GPOs are part of AD.
>
> You can usefully crosspost the same message (not two different
> ones) to the IPSec group to probably.
>
> > I'm interested in applying an IPsec
> > policy via GPO, but have found that I cannot save any changes.
>
> Are you editing one of the existing GPOs? (e.g., default domain
> gpo?)
>
> Are the admin? Can you create a new one?
>
> What tool are you using?
>
> What error message do you get (be precise)...
>
> > I had assumed
> > the new policy options in Vista/2008 would allow multiple Active Directory
> > IPsec policies, unlike the 2003/XP policy options, and allow to save them
> > as
> > any other GPO.
>
> GPOs have always allowed MANY IPSec policies but only one
> IPSec policy can be active on a machine at any one time.
>
> It can have as many rules, filters, actions as you wish.
>
> > I was wondering if the saving issues I'm having (if so) are
> > permissions related,
>
> Likely. Or indirectly as Authentication issues if this is on
> the domain (and not the Local GPO.)
>
>
> > as I am not a domain admin (only OU administrator), and
> > if so, is there any way to add specific targetted permissions to my
> > account
> > which would allow saving of the IPSec GPO to my OU. Thanks all.
>
> Yes. A GPO is an AD object and so can have permission that allow
> you to delegate or be delegated control over it. (They are roughly
> similar to NTFS file permissions.)
>
>
>
>
Top

Re: IPSec GPO -- Cannot Save by Herb

Herb
Tue Jun 17 14:14:20 PDT 2008


"MichaelFaulkner" <MichaelFaulkner@discussions.microsoft.com> wrote in
message news:8D8F30D7-21A9-4089-B26B-A5D6610B8E81@microsoft.com...
> Thanks. In the Group Policy Management Editor, trying to create a new
> IPSec

You likely mean GP Editor.

> policy in our active directory under my OU, I receive an access denied
> 80070005 -- sounds like a permissions error to me.

Me too.

> Just tryning to determine
> what and where the policy is trying to be applied and writing to so I can
> request opening of AD permissions if possible, and if I can apply just to
> my
> OU.

It's a permission on the GPO Write/change to alter that policy

If you are creating a new GPO then you need "Link Group Policy" on the OU to
LINK it there.


> "Herb Martin" wrote:
>
>>
>> "MichaelFaulkner" <MichaelFaulkner@discussions.microsoft.com> wrote in
>> message news:BE00775A-CA88-48A4-A905-FEE1E21C9B24@microsoft.com...
>> > Sorry, had trouble finding a GPO group.
>>
>> This is cool. GPOs are part of AD.
>>
>> You can usefully crosspost the same message (not two different
>> ones) to the IPSec group to probably.
>>
>> > I'm interested in applying an IPsec
>> > policy via GPO, but have found that I cannot save any changes.
>>
>> Are you editing one of the existing GPOs? (e.g., default domain
>> gpo?)
>>
>> Are the admin? Can you create a new one?
>>
>> What tool are you using?
>>
>> What error message do you get (be precise)...
>>
>> > I had assumed
>> > the new policy options in Vista/2008 would allow multiple Active
>> > Directory
>> > IPsec policies, unlike the 2003/XP policy options, and allow to save
>> > them
>> > as
>> > any other GPO.
>>
>> GPOs have always allowed MANY IPSec policies but only one
>> IPSec policy can be active on a machine at any one time.
>>
>> It can have as many rules, filters, actions as you wish.
>>
>> > I was wondering if the saving issues I'm having (if so) are
>> > permissions related,
>>
>> Likely. Or indirectly as Authentication issues if this is on
>> the domain (and not the Local GPO.)
>>
>>
>> > as I am not a domain admin (only OU administrator), and
>> > if so, is there any way to add specific targetted permissions to my
>> > account
>> > which would allow saving of the IPSec GPO to my OU. Thanks all.
>>
>> Yes. A GPO is an AD object and so can have permission that allow
>> you to delegate or be delegated control over it. (They are roughly
>> similar to NTFS file permissions.)
>>
>>
>>
>>


Top