Re: Basic EFS Certificate Question

"Snowmizer" <Snowmizer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
I didn't actually ever disable the ability to obtain a Basic EFS

If you want to explicitly disable use of EFS encryption there is a
policy setting you can use via GPO so that users on client systems
would not, at their option, choose to use EFS to encrypt files.

I believe the issue you have is actually in determining why you see
repeated certs issued to the same user in a short interval, if, that is,
you are correctly interpreting what trail you see.

I just know that we don't purposely have anything on our network
to specifically use encryption. I don't know of any software that we have
that encrypts files. The fact that it's only associated with a couple of
users makes me believe they are visiting some site or something that needs
EFS certificate. Could this be the case? If so is there a way to find out
what is requesting the certificate? Is this something that is typically
disabled? Is there any harm with them having this certificate?

"Brian Komar [MVP]" wrote:

In article <7F6E005B-9EC8-4D43-B69C-BD3E31CE79D3@xxxxxxxxxxxxx>,
Snowmizer@xxxxxxxxxxxxxxxxxxxxxxxxx says...
We are looking through our Issued certificates on or CA (Windows 2003
Enterprise Edition) and have noticed that there are a couple of users
have Basic EFS certificates issued
to them (multiple certs issued in a matter of minutes). My
understanding is
that these certificates are used with file encryption. We don't have
encryption enabled on our network so I'm confused as to why only these
users have Basic EFS certificates instead of everyone in the company.
everything I have read so far it appears that these certificates get
automatically. What are these certificates? How do they get issued? If
they're issued automatically is there a way to tell what requested the

I just need an explanation about how this happens and why.


It appears that y ou do not have EFS blocked as you state. A client will
request a Basic EFS certificate automatically if EFS is enabled and they
either encrypt a file or save a file to a folder enabled for encryption.

How did you go about disabling EFS?



Relevant Pages

  • RE: Relative Security Provided by Cached Domain Credentials?
    ... certificates assigned to them, with each certificate having a set number ... smart card management tools which provide private key archival for smart ... AND the cert is also valid for EFS, they likely would be able to do ... What you probably could get to work for local file encryption, ...
  • Re: What am I doing wrong?
    ... > after I make the EFS work. ... Then I've exported my encryption certificate to a file on a diskette. ... > certificate into a file on a floppy, and I did select the "Yes, export ...
  • Re: About EFS and local certificate that I want to export
    ... You need to get your head around how EFS works. ... EFS is local file encryption. ... the file is transferred to/from the server in the clear. ... you added the incorrect EFS certificate in step 4. ...
  • Re: EFS woes
    ... I changed my domain password which broke EFS 1. ... not the same thumbprint as on my exported certificate. ... inheriting the encryption status. ...
  • Re: EFS Recover Agents Unable to decrypt files
    ... Permissions were checked to make sure that the EFS RA had full ... The EFS RA imported it's EFS RA certificate from storage in a secure ... I tried to decrypt the file after only importing the ... a special recovery key is created with the encryption process. ...