Assign an IPsec Policy to a GPO for Earlier Versions of Windows

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

After creating all of the rules required in an IPsec policy, you must assign the policy in the GPO to make it apply to the computers that receive the GPO.

Administrative credentials

To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To assign an IPsec policy to the GPO

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, right-click the domain isolation policy that you created earlier, and then click Assign.


Make sure that you assign an IPsec policy only to the GPO or GPOs that will apply those settings to the correct client and server computers. If you assign the policy to the wrong GPOs, then network communications will not be protected as expected, and might fail.


Only one IPsec policy can be active on a computer at a time. The Group Policy Management Editor allows you to specify only one active IPsec policy in a GPO, but if multiple GPOs with IPsec policies apply to a computer, then the IPsec policy that applies to the computer depends on the precedence of the GPOs and the order in which they are applied. For more information, see Group Policy Processing and Precedence (<A class=uri href="">

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.