none
IPSec Policy Issue

    Question

  • We push out an IPSec policy via GPO. The policy updates and is applied to the target machines correctly but we get the error below when run from a command prompt. We did delete the previous policy and created a new policy, which I've found to be the wrong way of removing a policy. I've deleted the registry key on the machines that hold the policy info, but still receive this error. The error is also logged in the event viewer. When running Group Policy Modeling no errors are found and the correct policy is shown. When Group Policy Results in Advanced view errors are displayed and the deleted policy is displayed. The message "The policy object does not exist."

    Does anyone have suggestions on what may be causing this and how to fix? 

    Error when running gpupdate /force from a command prompt. 

    Updating Policy...

    User Policy update has completed successfully.
    Computer Policy update has completed successfully.

    The following warnings were encountered during computer policy processing:

    Windows failed to apply the IP Security settings. IP Security settings might hav
    e its own log file. Please click on the "More information" link.
    Windows could not record  the Resultant Set of Policy (RSoP) information for the
     Group Policy extension <IP Security>. Group Policy settings successfully applie
    d to the computer or user; however, management tools may not report accurately.

    For more detailed information, review the event log or run GPRESULT /H GPReport.
    html from the command line to access information about Group Policy results.

    Friday, April 22, 2016 7:59 PM

Answers

  • Hi,
    If we delete IPSec policies, we should unassign the IPSec policy in the Group Policy object firstly, wait 24 hours to ensure that the change is propagated and then delete the IPSec policy. In your case, deleting IPSec policies incorrectly may cause the IPSec CSE still being used by other GPO. To fix it, we could follow the steps as below to have a try:
    1. Find that the old IPSec policy in registry editor which should be under:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
    with a link to the deleted object, e.g. "DSIPSECPolicyPath"="LDAP: //CN=ipsecPolicy{12345678-abcd-1a2b-5478-12345678}\\0ADEL:<GUID>,CN=Deleted Objects, DC=domain, DC=com"
    2. Search for the deleted IPSec policy link in all existing GPOs. We can use LDIFDE to export it by running the following command:
    ldifde -r "( ipSecOwnersReference= CN=ipsecPolicy{12345678-abcd-1a2b-5478-12345678}\\0ADEL:<GUID>,CN=Deleted Objects, DC=domain,DC=com)" –f C:\ipsecPolicies.txt
    We will find an export of the problematic GPO’s GUID that contain the link of the deleted ipsec Policy.
    3. Use LDP.exe or the Properties of the GPO to determine the GUID of a GPO, please see details from:
    https://support.microsoft.com/en-us/kb/216359#bookmark-5
    4. When you find the problematic GPO, you could re-create this GPO and delete the old ones.
    5. Ensure that the replication of DCs works well at that time. Then try to see if the error occur again
    Here is a similar thread which you could refer to:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c2c66d74-0967-49ac-994c-eba7c08c7dc0/windows-failed-to-apply-ip-security-settings?forum=winserverGP

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 25, 2016 7:37 AM
    Moderator