Re: EFS Errors
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/17/05
- Next message: John Murray: "Webtracer - SEVERE malware problem"
- Previous message: PA Bear: "Re: system32\tools\LostRun.exe"
- In reply to: LarMan: "EFS Errors"
- Next in thread: LarMan: "Re: EFS Errors"
- Reply: LarMan: "Re: EFS Errors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 18:45:11 -0500
You don't mention the operating system of the domain controller or the
domain computers but there is a KB article that refers to the errors you are
seeing that may help provide a clue as shown below.
http://support.microsoft.com/?id=842804
Disabling DFS can disrupt your Group Policy propagation which may be causing
your EFS errors if you have changed your Recovery Agent Certificate. The EFS
error could be caused by an expired or absence of an EFS RA certificate that
Windows 2000 computer require before users on a W2K computer can encrypt
files via EFS. I would run the support tools netdiag, dcdiag, and gpotool on
your domain controller to make sure no serious problems are found that could
prevent Group Policy from working correctly. Also run netdiag on at least
one of the domain computers that is having problems with EFS and the support
tool gpresult to see what Group Policy is being applied to the domain
computer and the last time it was applied. Verify that the user has a
certificate that can be used for file encryption in their local certificate
user store that is available via the mmc snapin for user certificates in the
personal/certificates folder. It is not a good idea to delete
certificates/private key as that could result in the inability for a user or
Recovery Agent to decrypt files they have previously been encrypted. You can
use the efsinfo utility to see what certificates/private key can decrypt an
EFS file for user and RA. If you are using Group Policy to manage the
Recovery Agent for the domain make sure that a valid certificate is
configured as the RA and that domain computers within the scope of
management are receiving the Group Policy. Gpresult can help determine that.
You can use the /v or /z switch for more info using gpresult. If using GPMC
or Windows 2003 domain controller the Resultant Set of Policy mmc snapin can
help determine Group Policy applied to a user or computer. It can take up
to two hours for changes to Group Policy to propagate to domain
computers/users unless you use gpupdate/secedit or logoff/reboot to speed up
propagation. --- Steve
"LarMan" <LarMan@discussions.microsoft.com> wrote in message
news:B0F6320C-7D9B-4B7F-BD8E-6F8A27FFA48D@microsoft.com...
> Hello, I have been encrypting fine until about 1 week ago. For various
> reasons I stopped and disabled DFS on the AD server. Then my EFS went
> nuts
> so I turned it back on but I am still getting errors about encryting
> files.
> The errors are 1058 and 1030 as well as the EFS 6028. I have renewed
> certs
> and delete all and requested new certs, nothing is working. I looked for
> the
> dfsenable in the registry key MUP but did not find one and am hestitant to
> add one. I am able to encrypt on the server but noone is able to encrypt
> on
> the workstation. Any help would be much appreciated.
- Next message: John Murray: "Webtracer - SEVERE malware problem"
- Previous message: PA Bear: "Re: system32\tools\LostRun.exe"
- In reply to: LarMan: "EFS Errors"
- Next in thread: LarMan: "Re: EFS Errors"
- Reply: LarMan: "Re: EFS Errors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
