Re: EFS files without recovery agent

Hi Steven,

Sorry if I wasn't so clear. The full story will sound like this.
Someone before me has configured EFS policy in "Default Domain GPO".
Recovery agent account was deleted at some stage so the policy becomes
unusable and I decided to recreate it but as a separate GPO, let say
"EFS GPO" where I created Recovery agent with proper certificate.
That is a point where the problem started.
You help me to sort out the problem where client computer was getting
Default Domain GPO with no Recovery Agent. So I delete EFS "policy from
Default Domain GPO". The problem here is that every time when I'm
trying to clear tick box form
"Allow users to encrypt files using Encrypted File System (EFS)" at
"Encrypted File System" properties box, which is under "Public Key
Policies".... on "Default Domain GPO", it is permanently disabling user
ability to encrypt files even I specify opposite in "EFS GPO".
I already try to change the priority of policies and set it "EFS GPO"
to "Enforce", but nothing helps. It seems to me there is no option to
set "Allow users to encrypt files using Encrypted File System (EFS)"
option to default like "not defined" on "Default Domain GPO". In other
words it will always shows in "Group Policy Management" console on
"Settings" view either as "Enable" or "Disable" and not skip it on the
list as other that were never defined.

My question is: Is it possible to set it as "not defined" for
"Default Domain GPO"?

Thank you.
Yuriy



Steven L Umbach wrote:
Glad to hear you got one problem solved and thanks for reporting back what
you found. However I don't quite understand the other problem. I believe you
say that you want users to be able to use EFS on XP Pro computers[that
setting does not apply to Windows 2000 computers] but you want to clear
that setting?? Another thing you could try is to move the new GPO to the top
of the list in the domain container and then reboot one of the XP Pro
computers to see if that helps or not or just leave it enabled in the
default domain GPO.

Steve


"Yuriy" <nepyyvoda@xxxxxxxxx> wrote in message
news:1158318316.357221.57030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thank you Steven,

That was a problem in my case! I have delete recovery agent from the
Default Domain Policy, but I have not delete EFS policy itself.
RSoP.msc shows only the policies that have been applied, and in fact it
was 2, the new one with certificate and the old one without. Because I
saw only one certificate I made a wrong assumption that only one policy
has been applied.
The tool that really helps me was gpmc.msc and its "Group Policy
Result" section. It shows which policy won.

Unfortunately one problem still exists.
"Allow users to encrypt files using Encryption File System (EFS)" must
be enabled in "Default Domain Policy". When I try to clear it and
enable in new "EFS GPO" the client will not pickup this settings even
after changing policy priority and enforcing it.
It looks like I cannot clear settings that was enabled or disabled
once, and "Default Domain Policy" will have the highest priority
regardless of other settings. Is it true?

Thank you,
Yuriy

Steven L Umbach wrote:
Also check that any Group Policy that could apply to the computer other
than
the one you want to have for EFS shows "no encrypted file system policies
defined". That is different than a defined policy that has no RA. A
defined
policy with no RA will cause EFS to fail on Windows 2000 computer that
have
that policy applied and for XP Pro computers to not have any RA. If
nothing
seems to work try creating a test OU with a new test GPO linked to it
with
the RA defined in that GPO. Move a couple computers into that OU and then
reboot them to see if the RA applies to them or not. Also examine the
certificate that you are using for the RA to make sure it is a RA
certificate.

Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/efs.mspx


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:efnCiO51GHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
I would double check any GPO that could apply to that computer as if I
remember correctly rsop.msc does not show which GPO is applying RA.

Steve


"S0k1l" <nepyyvoda@xxxxxxxxx> wrote in message
news:1158135892.176021.105220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

First of all thank you for your respond, But unfortunately that is not
an issue.
Group policy with EFS recovery agent settings is link to domain (let
say company.com), and RSoP.msc shows that policy has been applied to
computer (at least to all that I have checked), with the valid
recovery
agent certificate.
May be there is something else that I have not pay attention to?
All you ideas are appreciated.

Yuriy

Steven L Umbach wrote:
Try running rsop.msc on one of the XP computers to see if it shows
that
setting has applied to the domain computer. Note that RA setting is
computer
configuration which means that the computer account must be within
the
scope
of management for that GPO. In other words if you configured it in a
GPO
linked to a OU the computer account must exist in that OU or a child
OU
of
that OU. If you believe it should apply to the computer then check
the
application log for errors/warnings for userenv and scecli that could
indicate a problem with Group Policy application to the domain
computer.
Also keep in mind that it can take up to two hours for GP settings to
propagate unless you reboot or run gpupdate on the domain computer.

Steve


<nepyyvoda@xxxxxxxxx> wrote in message
news:1158072131.740190.251830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I'm experiencing strange problem with EFS on my domain, and wonder
if
any one can help me understand what is happening.

I have recently configured EFS group policy, created recovery
agent,
and apply it on domain level.
Now users are able to encrypt files, but there is no Recovery agent
in
the list when I open Encryption details window.

All domain controllers are Win2003 (Win 2000 native function level)
and
workstations are WinXP.

Can any one give me some ideas where it went wrong?

Regards,
Yuriy.






.

Relevant Pages

  • Re: EFS files without recovery agent
    ... being managed by that GPO. ... actual settings differ you need to investigate if there is a problem with GP ... before to apply EFS settings and import the new RA certificate into it under ... Someone before me has configured EFS policy in "Default Domain GPO". ...
    (microsoft.public.security)
  • Re: Enabling EFS in only one OU
    ... You can disable it in a domain-wide policy, ... EFS, and link this GPO to the OU with your laptop accounts. ... Properties of Encrypting File System: ...
    (microsoft.public.windows.group_policy)
  • Re: Enable EFS --- GPO Problem
    ... Please visit the experts in the Group Policy newsgroup ... Windows - Shell/User ... | applied a GPO that is supposed to allow users to use EFS on the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Enabling EFS in only one OU
    ... just a single check box for "Allow users to encrypt files using ... I enabled EFS on that GPO. ... I'll change our group policy structure so that it is ...
    (microsoft.public.windows.group_policy)
  • Re: EFS files without recovery agent
    ... Another thing you could try is to move the new GPO to the top ... Default Domain Policy, but I have not delete EFS policy itself. ... It looks like I cannot clear settings that was enabled or disabled ...
    (microsoft.public.security)