B
boomboom999
Is it possible to create a GPO that assign IPSec rules per user and not
per computer?
Thank you
per computer?
Thank you
S
Steven Umbach
That is not possible in Windows 2000/2003/XP. Ipsec policies are only machine
aware [computer configuration] and only authenticate to the other computer. ---
Steve
aware [computer configuration] and only authenticate to the other computer. ---
Steve
B
boomboom999
Steven Umbach a écrit :
We have found a way to do that with a bit of scripting.
The main idea is the following.
1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.
2. Create one GPO that covers all computers that need IPSec
3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:
if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.
4. Assigns users to appropriate groups.
Done.
We have found a way to do that with a bit of scripting.
The main idea is the following.
1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.
2. Create one GPO that covers all computers that need IPSec
3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:
if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.
4. Assigns users to appropriate groups.
Done.
S
Steven L Umbach
Cool. That is a clever way to assign an ipsec policy based on logged on user
and if it works the way you expect that is great and thanks for sharing
that. However to be accurate it is not a way to assigning ipsec rules per
user. Rules simply contain a filter with definitinions for
ports/protocol/IPs and a filter action. --- Steve
Steven Umbach a écrit :
We have found a way to do that with a bit of scripting.
The main idea is the following.
1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.
2. Create one GPO that covers all computers that need IPSec
3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:
if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.
4. Assigns users to appropriate groups.
Done.
and if it works the way you expect that is great and thanks for sharing
that. However to be accurate it is not a way to assigning ipsec rules per
user. Rules simply contain a filter with definitinions for
ports/protocol/IPs and a filter action. --- Steve
Steven Umbach a écrit :
We have found a way to do that with a bit of scripting.
The main idea is the following.
1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.
2. Create one GPO that covers all computers that need IPSec
3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:
if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.
4. Assigns users to appropriate groups.
Done.
R
Roger Abell [MVP]
Hi,
When Vista gained multiple local group policies I asked whether
these would only be for user policies, or if computer policies would
in cases be included. I was thinking of the usefulness of having a
different firewall config for the kids, for guests, for the spouse, etc..
Similarly in earlier days I have asked about a sort or reverse loopback,
where some computer policies could be applied based on the user
that logged in to trigger GPO application (this would directly address
what you are after). In both cases just mentioned I have met with
no joy, but have found some in MS Windows dev that see the
flexibility it could bring. In short, it is not there today, and last that
I have heard will not be in Longhorn/Vista either.
I hope that you are securing the script/code of the scheduled task well,
since it is otherwise trivial to elevate privileges by simply replacing the
script/code file which you have set to run as LocalSystem.
Roger
Steven Umbach a écrit :
We have found a way to do that with a bit of scripting.
The main idea is the following.
1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.
2. Create one GPO that covers all computers that need IPSec
3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:
if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.
4. Assigns users to appropriate groups.
Done.
When Vista gained multiple local group policies I asked whether
these would only be for user policies, or if computer policies would
in cases be included. I was thinking of the usefulness of having a
different firewall config for the kids, for guests, for the spouse, etc..
Similarly in earlier days I have asked about a sort or reverse loopback,
where some computer policies could be applied based on the user
that logged in to trigger GPO application (this would directly address
what you are after). In both cases just mentioned I have met with
no joy, but have found some in MS Windows dev that see the
flexibility it could bring. In short, it is not there today, and last that
I have heard will not be in Longhorn/Vista either.
I hope that you are securing the script/code of the scheduled task well,
since it is otherwise trivial to elevate privileges by simply replacing the
script/code file which you have set to run as LocalSystem.
Roger
Steven Umbach a écrit :
We have found a way to do that with a bit of scripting.
The main idea is the following.
1. Create user groups like IPSecPolicy1, IPSecPolicy2 etc.
2. Create one GPO that covers all computers that need IPSec
3. Run a startup script within this GPO which :
- creates a Scheduled Task
- configures this task to run as Local System
- configures this task to run at logon only (for any user)
- configures this task to execute the following script:
if the current User belongs to IPSecPolicy1
run Ipsecpol.exe <Policy1>
if the current User belongs to IPSecPolicy2
run Ipsecpol.exe <Policy2>
etc.
4. Assigns users to appropriate groups.
Done.