Re: EFS files without recovery agent
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Sep 2006 14:40:27 -0500
Also check that any Group Policy that could apply to the computer other than
the one you want to have for EFS shows "no encrypted file system policies
defined". That is different than a defined policy that has no RA. A defined
policy with no RA will cause EFS to fail on Windows 2000 computer that have
that policy applied and for XP Pro computers to not have any RA. If nothing
seems to work try creating a test OU with a new test GPO linked to it with
the RA defined in that GPO. Move a couple computers into that OU and then
reboot them to see if the RA applies to them or not. Also examine the
certificate that you are using for the RA to make sure it is a RA
certificate.
Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/efs.mspx
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:efnCiO51GHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
I would double check any GPO that could apply to that computer as if I
remember correctly rsop.msc does not show which GPO is applying RA.
Steve
"S0k1l" <nepyyvoda@xxxxxxxxx> wrote in message
news:1158135892.176021.105220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
First of all thank you for your respond, But unfortunately that is not
an issue.
Group policy with EFS recovery agent settings is link to domain (let
say company.com), and RSoP.msc shows that policy has been applied to
computer (at least to all that I have checked), with the valid recovery
agent certificate.
May be there is something else that I have not pay attention to?
All you ideas are appreciated.
Yuriy
Steven L Umbach wrote:
Try running rsop.msc on one of the XP computers to see if it shows that
setting has applied to the domain computer. Note that RA setting is
computer
configuration which means that the computer account must be within the
scope
of management for that GPO. In other words if you configured it in a GPO
linked to a OU the computer account must exist in that OU or a child OU
of
that OU. If you believe it should apply to the computer then check the
application log for errors/warnings for userenv and scecli that could
indicate a problem with Group Policy application to the domain computer.
Also keep in mind that it can take up to two hours for GP settings to
propagate unless you reboot or run gpupdate on the domain computer.
Steve
<nepyyvoda@xxxxxxxxx> wrote in message
news:1158072131.740190.251830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I'm experiencing strange problem with EFS on my domain, and wonder if
any one can help me understand what is happening.
I have recently configured EFS group policy, created recovery agent,
and apply it on domain level.
Now users are able to encrypt files, but there is no Recovery agent in
the list when I open Encryption details window.
All domain controllers are Win2003 (Win 2000 native function level)
and
workstations are WinXP.
Can any one give me some ideas where it went wrong?
Regards,
Yuriy.
.
- Follow-Ups:
- Re: EFS files without recovery agent
- From: Yuriy
- Re: EFS files without recovery agent
- References:
- EFS files without recovery agent
- From: nepyyvoda
- Re: EFS files without recovery agent
- From: Steven L Umbach
- Re: EFS files without recovery agent
- From: S0k1l
- Re: EFS files without recovery agent
- From: Steven L Umbach
- EFS files without recovery agent
- Prev by Date: Re: EFS files without recovery agent
- Next by Date: Re: Max OSX 10 on Large Windows Domain
- Previous by thread: Re: EFS files without recovery agent
- Next by thread: Re: EFS files without recovery agent
- Index(es):
Relevant Pages
|
