Re: EFS Errors

• Previous message: Phil Agcaoili: "Re: Export laws for IE in China and India"
• In reply to: LarMan: "Re: EFS Errors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Aug 2005 16:47:56 -0500

Glad you are making progress. Keep in mind that when you have more than one
GPO in an OU that the one at the top of the list has the highest priority
[applied last] if more than one GPO has the same setting defined. Since your
computers are all XP Pro they do not require a RA to use EFS however Group
Policy can be used to disable EFS on XP Pro computers. See how that is done
in the link below and double check your Group Policy to make sure that is
not configured that way as that could be part of your problem. You could
edit the Group Policy security settings for XP Pro computers by either using
the Windows 2003 domain controller or from an XP Pro computer while logged
on as a domain admin using the mmc snapin for Group Policy editor. ---
Steve

http://searchwindowssecurity.techtarget.com/generic/0,295582,sid45_gci1050446,00.html

To disable EFS:
1. Open the default domain GPO.
2. For a Windows Server 2003 domain:

  a. Right-click the Public Key Policies, Encryption File System policy.
  b. Right-click the Encrypting Files System folder and select Properties.
  c. Select to uncheck the Allow Users to Encrypt Files Using Encrypting
File System (EFS).

"LarMan" <LarMan@discussions.microsoft.com> wrote in message
news:342529DE-8720-4DA4-B8E8-9CB3AC3F1580@microsoft.com...
> Steve,
>
> The client machines are all XP. The lead DC is WIN2K and the other DC is
> WIN2K3. DFS is turned off(and always has been) on the WIN2K3 machine.
>
> As per your advice I created another OU and moved a test machine there and
> BAM!! It works. I added some GPO's to the OU and I am wainting to see
> that
> all is well before making the other machine moves. I also added an RA as
> your suggested. This seems to ahve worked. Thanks a bunch!! And thnaks
> for
> being patient with me.
>
>
> "Steven L Umbach" wrote:
>
>> Is this happening on just Windows 2000 computers where you can not
>> encrypt
>> files locally and if so what specific error message do they get if any??
>> The
>> reason I ask is that Windows 2000 computers require a RA to encrypt files
>> while XP Pro does not. I am wondering if the Widows 2000 computers are
>> getting a Group Policy with an invalid RA [such as being expired] or a
>> Group
>> Policy with no RA that will also prevent Windows 2000 computers from
>> encryption files. Like I suggested earlier try running RSOP on the
>> Windows
>> 2003 domain controller in logging mode and select a computer that can not
>> use EFS to analyze and look at the settings under computer
>> configuration/Windows settings/security settings/public key
>> policies/encrypted file system to see if the RA shows for that computer.
>>
>>
>> tp://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=tech ---
>> make sure this is not the configuration - an "empty" policy for EFS.
>>
>> If problems persist I would try creating a new OU with a new GPO linked
>> to
>> it with the RA certificate configured in public key policies, move a
>> couple
>> of problem computers into that OU and reboot them to see if that helps.
>> The
>> new OU could be a child OU of an existing OU. The links below explains
>> how
>> to use RSOP on a Windows 2003 Server. The reason it probably works on the
>> server is because the server is using the RA or does not need it. ---
>> Steve
>>
>> http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Planning-Logging.html
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;323276
>>
>> "LarMan" <LarMan@discussions.microsoft.com> wrote in message
>> news:280844CB-E000-4F3E-B1CA-CCBBFA02A502@microsoft.com...
>> > Steve,
>> >
>> > One curious thing. I am able to encrypt on the server from the
>> > desktop/client.
>> >
>> > LarMan
>> >
>> > "LarMan" wrote:
>> >
>> >> Hi Steve,
>> >>
>> >> The RA on the server is the same one all along, nothing has changed
>> >> there.
>> >> I can encrypt on the server itself (logged in as admin), at least I do
>> >> not
>> >> get errors. The server has several certs that are expired but there
>> >> are
>> >> several that are not. It appears that the general health of the GPO
>> >> is
>> >> good,
>> >> I am just going to purchase PGP and encrypt my whole disk. That does
>> >> not
>> >> cover the others though.
>> >>
>> >> You say to do this- Resultant Set
>> >> > of Policy for one of the problem computers to see what Group Policy
>> >> > settings
>> >> > it reports for public key and that it is what you expect
>> >> How?
>> >>
>> >> Anything else I can try?
>> >>
>> >> LarMan
>> >>
>> >> "Steven L Umbach" wrote:
>> >>
>> >> > Is the problem happening on just Windows 2000 domain computers, XP
>> >> > Pro,
>> >> > or
>> >> > both?? Is the RA still valid in that it has not expired? Is that the
>> >> > same RA
>> >> > that you have been using all along or has it been recently replaced?
>> >> > On the
>> >> > Windows 2003 domain controller try running the mmc snapin for
>> >> > Resultant
>> >> > Set
>> >> > of Policy for one of the problem computers to see what Group Policy
>> >> > settings
>> >> > it reports for public key and that it is what you expect. ---
>> >> > Steve
>> >> >
>> >> > http://support.microsoft.com/default.aspx?scid=kb;en-us;323276 ---
>> >> > using
>> >> > RSOP.
>> >> >
>> >> > "LarMan" <LarMan@discussions.microsoft.com> wrote in message
>> >> > news:A085C584-9324-4838-BB99-D75843473272@microsoft.com...
>> >> > > Hi Steve,
>> >> > >
>> >> > > Sorry it took a few days but work got in the way. I checked the
>> >> > > GPO
>> >> > > being
>> >> > > applied and it is the right one from the Win2K domain-AD, the
>> >> > > other
>> >> > > DC is
>> >> > > also an AD running Win2k3. The machine policy is being applied
>> >> > > but
>> >> > > one of
>> >> > > the user policies is being filtered (WSUS). I suspect that this
>> >> > > is
>> >> > > fine
>> >> > > since WSUS has been running well for some time. This problem with
>> >> > > EFS has
>> >> > > only strated happening recently. I checked the RA and the admin
>> >> > > is
>> >> > > the
>> >> > > only
>> >> > > cert there. Should there be others? If so who and how do they
>> >> > > get
>> >> > > there?
>> >> > > What else could be wrong? Thanks for your help.
>> >> > >
>> >> > > LarMan
>> >> > >
>> >> > > "Steven L Umbach" wrote:
>> >> > >
>> >> > >> You don't mention the operating system of the domain controller
>> >> > >> or
>> >> > >> the
>> >> > >> domain computers but there is a KB article that refers to the
>> >> > >> errors
>> >> > >> you
>> >> > >> are
>> >> > >> seeing that may help provide a clue as shown below.
>> >> > >>
>> >> > >> http://support.microsoft.com/?id=842804
>> >> > >>
>> >> > >> Disabling DFS can disrupt your Group Policy propagation which may
>> >> > >> be
>> >> > >> causing
>> >> > >> your EFS errors if you have changed your Recovery Agent
>> >> > >> Certificate.
>> >> > >> The
>> >> > >> EFS
>> >> > >> error could be caused by an expired or absence of an EFS RA
>> >> > >> certificate
>> >> > >> that
>> >> > >> Windows 2000 computer require before users on a W2K computer can
>> >> > >> encrypt
>> >> > >> files via EFS. I would run the support tools netdiag, dcdiag, and
>> >> > >> gpotool
>> >> > >> on
>> >> > >> your domain controller to make sure no serious problems are found
>> >> > >> that
>> >> > >> could
>> >> > >> prevent Group Policy from working correctly. Also run netdiag on
>> >> > >> at
>> >> > >> least
>> >> > >> one of the domain computers that is having problems with EFS and
>> >> > >> the
>> >> > >> support
>> >> > >> tool gpresult to see what Group Policy is being applied to the
>> >> > >> domain
>> >> > >> computer and the last time it was applied. Verify that the user
>> >> > >> has
>> >> > >> a
>> >> > >> certificate that can be used for file encryption in their local
>> >> > >> certificate
>> >> > >> user store that is available via the mmc snapin for user
>> >> > >> certificates in
>> >> > >> the
>> >> > >> personal/certificates folder. It is not a good idea to delete
>> >> > >> certificates/private key as that could result in the inability
>> >> > >> for a
>> >> > >> user
>> >> > >> or
>> >> > >> Recovery Agent to decrypt files they have previously been
>> >> > >> encrypted.
>> >> > >> You
>> >> > >> can
>> >> > >> use the efsinfo utility to see what certificates/private key can
>> >> > >> decrypt
>> >> > >> an
>> >> > >> EFS file for user and RA. If you are using Group Policy to manage
>> >> > >> the
>> >> > >> Recovery Agent for the domain make sure that a valid certificate
>> >> > >> is
>> >> > >> configured as the RA and that domain computers within the scope
>> >> > >> of
>> >> > >> management are receiving the Group Policy. Gpresult can help
>> >> > >> determine
>> >> > >> that.
>> >> > >> You can use the /v or /z switch for more info using gpresult. If
>> >> > >> using
>> >> > >> GPMC
>> >> > >> or Windows 2003 domain controller the Resultant Set of Policy mmc
>> >> > >> snapin
>> >> > >> can
>> >> > >> help determine Group Policy applied to a user or computer. It
>> >> > >> can
>> >> > >> take
>> >> > >> up
>> >> > >> to two hours for changes to Group Policy to propagate to domain
>> >> > >> computers/users unless you use gpupdate/secedit or logoff/reboot
>> >> > >> to
>> >> > >> speed
>> >> > >> up
>> >> > >> propagation. --- Steve
>> >> > >>
>> >> > >> "LarMan" <LarMan@discussions.microsoft.com> wrote in message
>> >> > >> news:B0F6320C-7D9B-4B7F-BD8E-6F8A27FFA48D@microsoft.com...
>> >> > >> > Hello, I have been encrypting fine until about 1 week ago. For
>> >> > >> > various
>> >> > >> > reasons I stopped and disabled DFS on the AD server. Then my
>> >> > >> > EFS
>> >> > >> > went
>> >> > >> > nuts
>> >> > >> > so I turned it back on but I am still getting errors about
>> >> > >> > encryting
>> >> > >> > files.
>> >> > >> > The errors are 1058 and 1030 as well as the EFS 6028. I have
>> >> > >> > renewed
>> >> > >> > certs
>> >> > >> > and delete all and requested new certs, nothing is working. I
>> >> > >> > looked
>> >> > >> > for
>> >> > >> > the
>> >> > >> > dfsenable in the registry key MUP but did not find one and am
>> >> > >> > hestitant
>> >> > >> > to
>> >> > >> > add one. I am able to encrypt on the server but noone is able
>> >> > >> > to
>> >> > >> > encrypt
>> >> > >> > on
>> >> > >> > the workstation. Any help would be much appreciated.
>> >> > >>
>> >> > >>
>> >> > >>
>> >> >
>> >> >
>> >> >
>>
>>
>>

• Previous message: Phil Agcaoili: "Re: Export laws for IE in China and India"
• In reply to: LarMan: "Re: EFS Errors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]