When trying to create/change a IPSEC policy you get a error message that reads:"The following error occurred when saving IP Security data: Access is denied. (80070005)."
Unfortunately, IP Security Policies are very similar to WMI Filters in that they are totally separate entities to GPOs themselves. The GPO itself can have an IPSec policy assigned to it, in the same way that you can link a WMI Filter to a GPO. Unfortunately, the method of editing IP Security Policies has been put directly into the GPO Editor itself. Since the editor runs under the context of the client user, you would have to have write access to the IP Security Policies container in order to edit them.
In order to edit/create IP Security Policies, the client user will need to be granted explicit access to the IP Security Policies container in AD
By default, in Windows Server 2003, Active Directory restricts Read permissions on the IP Security Policies container to a greater degree than in Windows 2000. If you are deploying a new installation of Windows Server 2003 Active Directory, be aware that IPSec policies cannot be read by computers in child domains, even though the GPO can be read by computers in the child domain. The domain administrator must explicitly allow permissions for computers in child domains to read the IPSec policy from the parent domain.
For clean Windows Server 2003 installations of Active Directory, the Group Policy Creator Owners administrative group does not have permission by default to create or modify IPSec policies. By default, only members of the Domain Admins group have this permission, and the Group Policy Creator Owners group has read-only permission. Upgrades of Windows 2000 Active Directory domains to Windows Server 2003 domains do not change permissions on existing IPSec policy objects.
Domain-based IPSec policy objects are stored in the IP Security Policies container in Active Directory, which is separate from the GPOs to which IPSec policies are applied. The domain administrator must grant permissions to the IP Security Policies container for other delegated administrators to administer IPSec policies. Standard delegation tools cannot be used to delegate permissions to administer IPSec policies. Instead, domain administrators must use Active Directory Service Interfaces (ADSI) Edit tool for this purpose.
ADSIEdit is a Microsoft Management Console (MMC) snap-in that domain administrators can use to edit objects in the Active Directory database. When domain administrators delegate permissions to others to administer IPSec policies, the delegated administrators must have Full Control permissions to all IPSec policy objects in the IP Security Policies container.
