Chuck- Sorry, its been a while since I've touched IPSec. So IPSec is not supported through .inf security templates--you're using the right approach. I confirmed that it is possible to import an IPSec policy created on a local workstation GPO into a domain-based GPO. I did it and it worked just fine. Of course, I was logged on as Administrator on the domain. You should have your administrator who set up your permissions confirm that you have sufficient permissions on that GPO. I have found that the clearest tool to use for this kind of delegation is GPMC. It presents delegation through the Delegation tab on the GPO and provides a clear set of rights for the different levels of GPO access. If you try to do this using the Delegation of Control Wizard, its not nearly as clear, nor is it geared towards delegating GPO rights, since when you permission a GPO, you have to permission both the part of it held in AD and the part held in SYSVOL.
Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Carerros Sent: Thursday, April 15, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Importing IPSEC Policies into an OU What I have is an exported .ipsec file (that was created on a local workstation). It contains the tested and fully functional IPSEC policy that I was advised to implement so my plan was to export the policy from the local machine and then import it into the GPO. I am the GPO administrator and I can change the IPSEC stuff, I'm just not able to import the .ipsec file in the security area. I was just trying to figure out if you were able to conduct that type of import on a GPO or if that only works on local workstations (which doesn't make sense) or the guy who set up my permissions may have just made a mistake when he granted me the admin rights to the GPO. I guess I can ask the admin to recheck my privileges on the GPO to ensure that he has me set with the IPSEC part, but that doesn't seem that plausible of an option considering he said that he granted my privileges using the delegate administration feature. Is there a big difference between using the .ipsec file instead of the .inf file? Thanks, chuck Darren Mar-Elia wrote: > Charles- > When you say you're importing IPSEC, I assume this means you have an > .inf file that you've created that you importing into an OU-linked GPO? > The ability to make changes to a GPO are governed by the permissions > on the GPO object itself, which is not stored in the OU but rather > under the System\Policies container in your domain (and also in > SYSVOL). If you view the permissions on the GPO object itself, you > should be able to see if you have modify rights on that GPO. If you > don't, you'll need to get the owner of that GPO to grant you those > rights explicitly for that GPO. > > Darren > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Charles > Carerros > Sent: Thursday, April 15, 2004 6:49 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Importing IPSEC Policies into an OU > > Hey all, > > This might seem kinda odd and maybe I'm just doing something wrong. > > But I tried to import an IPSEC policy (that basically just does port > blocking) into and AD but I keep getting rejected due to permissions > (apparently). > > Now I don't have Domain Admin rights to the domain, however I have > been delegated complete authority to the OU that I'm working in. Does > anyone know if there are additional issues dealing with the importing > of IPSec policies at OU levels that I might be missing? > > Thanks, > > Chuck > > -- > Charles D. Carerros > Systems Administrator > Information Technology Office > College of Letters and Science > University of Wisconsin -- Milwaukee > [EMAIL PROTECTED] > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- Charles D. Carerros Systems Administrator Information Technology Office College of Letters and Science University of Wisconsin -- Milwaukee [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/