An IPsec policy is not applied to a client computer when you apply a Group Policy object (923785)

SYMPTOMS

When you apply a Group Policy object (GPO) to a client computer, and the GPO contains an Internet Protocol security (IPsec) policy setting, the IPsec policy is not applied.

Additionally, nothing is written to the registry in the following scenario:

You delete the following registry keys:
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPsec\GPTIPSECPolicy
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPsec\Policy\Cache
You restart the computer. Or, you run the gpupdate /force command on the computer.

CAUSE

This problem occurs if the computer account to which you apply the Group Policy object does not have Read permissions and Apply Group Policy permissions for all child objects.

RESOLUTION

To resolve this problem, follow these steps:

On the domain controller, click Start, click Run, type dsa.msc, and then click OK.
Right-click the domain object, and then click Properties.
Click the Group Policy tab, and then click Open.
Double-click Group Policy Objects.
Click the Group Policy object that contains the IPsec policy.
Click the Delegation tab.
In the Groups and users area, click the computer account that you want to apply the IPsec policy to, and then click Advanced.
In the Security Settings dialog box, click Advanced.
In the Permission entries area, click the computer account that you want to apply the IPsec policy to, and then click Edit.
Click to select the Allow check boxes for the following permissions:
- Read Permissions
- Apply Group Policy
In the Apply onto box, select This object and all child objects.
Click OK three times.

MORE INFORMATION

For more information about how to use the Group Policy Management Console, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

For more information about Internet Protocol security, visit the following Microsoft Web site:

http://www.microsoft.com/technet/itsolutions/network/IPsec/default.mspx