Re: EFS files without recovery agent
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Sep 2006 16:21:07 -0500
Hi Yuriy.
There is no undefined for the setting you talk about. I would think however
that if you put your new EFS GPO at the top of the list for the domain
container that what is configured in it would prevail for computer that are
being managed by that GPO [unless default domain GPO is enforced] . Keep in
mind that when you change a GP setting at the domain/OU level that it can
take up to two hours for the changes to propagate unless you run gpupdate
/force or reboot the domain computer. Another thing to try is to use RSOP in
planning mode on a Windows 2003 domain controller to see if it shows what
you expect for your policy settings for the computer. If the projected and
actual settings differ you need to investigate if there is a problem with GP
applying to the computer. You could just use your default domain gpo as
before to apply EFS settings and import the new RA certificate into it under
public key policies.
Steve
"Yuriy" <nepyyvoda@xxxxxxxxx> wrote in message
news:1158594181.694960.33080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Steven,
Sorry if I wasn't so clear. The full story will sound like this.
Someone before me has configured EFS policy in "Default Domain GPO".
Recovery agent account was deleted at some stage so the policy becomes
unusable and I decided to recreate it but as a separate GPO, let say
"EFS GPO" where I created Recovery agent with proper certificate.
That is a point where the problem started.
You help me to sort out the problem where client computer was getting
Default Domain GPO with no Recovery Agent. So I delete EFS "policy from
Default Domain GPO". The problem here is that every time when I'm
trying to clear tick box form
"Allow users to encrypt files using Encrypted File System (EFS)" at
"Encrypted File System" properties box, which is under "Public Key
Policies".... on "Default Domain GPO", it is permanently disabling user
ability to encrypt files even I specify opposite in "EFS GPO".
I already try to change the priority of policies and set it "EFS GPO"
to "Enforce", but nothing helps. It seems to me there is no option to
set "Allow users to encrypt files using Encrypted File System (EFS)"
option to default like "not defined" on "Default Domain GPO". In other
words it will always shows in "Group Policy Management" console on
"Settings" view either as "Enable" or "Disable" and not skip it on the
list as other that were never defined.
My question is: Is it possible to set it as "not defined" for
"Default Domain GPO"?
Thank you.
Yuriy
Steven L Umbach wrote:
Glad to hear you got one problem solved and thanks for reporting back
what
you found. However I don't quite understand the other problem. I believe
you
say that you want users to be able to use EFS on XP Pro computers[that
setting does not apply to Windows 2000 computers] but you want to clear
that setting?? Another thing you could try is to move the new GPO to the
top
of the list in the domain container and then reboot one of the XP Pro
computers to see if that helps or not or just leave it enabled in the
default domain GPO.
Steve
"Yuriy" <nepyyvoda@xxxxxxxxx> wrote in message
news:1158318316.357221.57030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thank you Steven,
That was a problem in my case! I have delete recovery agent from the
Default Domain Policy, but I have not delete EFS policy itself.
RSoP.msc shows only the policies that have been applied, and in fact it
was 2, the new one with certificate and the old one without. Because I
saw only one certificate I made a wrong assumption that only one policy
has been applied.
The tool that really helps me was gpmc.msc and its "Group Policy
Result" section. It shows which policy won.
Unfortunately one problem still exists.
"Allow users to encrypt files using Encryption File System (EFS)" must
be enabled in "Default Domain Policy". When I try to clear it and
enable in new "EFS GPO" the client will not pickup this settings even
after changing policy priority and enforcing it.
It looks like I cannot clear settings that was enabled or disabled
once, and "Default Domain Policy" will have the highest priority
regardless of other settings. Is it true?
Thank you,
Yuriy
Steven L Umbach wrote:
Also check that any Group Policy that could apply to the computer
other
than
the one you want to have for EFS shows "no encrypted file system
policies
defined". That is different than a defined policy that has no RA. A
defined
policy with no RA will cause EFS to fail on Windows 2000 computer that
have
that policy applied and for XP Pro computers to not have any RA. If
nothing
seems to work try creating a test OU with a new test GPO linked to it
with
the RA defined in that GPO. Move a couple computers into that OU and
then
reboot them to see if the RA applies to them or not. Also examine the
certificate that you are using for the RA to make sure it is a RA
certificate.
Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/efs.mspx
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:efnCiO51GHA.4108@xxxxxxxxxxxxxxxxxxxxxxx
I would double check any GPO that could apply to that computer as if
I
remember correctly rsop.msc does not show which GPO is applying RA.
Steve
"S0k1l" <nepyyvoda@xxxxxxxxx> wrote in message
news:1158135892.176021.105220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
First of all thank you for your respond, But unfortunately that is
not
an issue.
Group policy with EFS recovery agent settings is link to domain
(let
say company.com), and RSoP.msc shows that policy has been applied
to
computer (at least to all that I have checked), with the valid
recovery
agent certificate.
May be there is something else that I have not pay attention to?
All you ideas are appreciated.
Yuriy
Steven L Umbach wrote:
Try running rsop.msc on one of the XP computers to see if it shows
that
setting has applied to the domain computer. Note that RA setting
is
computer
configuration which means that the computer account must be within
the
scope
of management for that GPO. In other words if you configured it in
a
GPO
linked to a OU the computer account must exist in that OU or a
child
OU
of
that OU. If you believe it should apply to the computer then check
the
application log for errors/warnings for userenv and scecli that
could
indicate a problem with Group Policy application to the domain
computer.
Also keep in mind that it can take up to two hours for GP settings
to
propagate unless you reboot or run gpupdate on the domain
computer.
Steve
<nepyyvoda@xxxxxxxxx> wrote in message
news:1158072131.740190.251830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I'm experiencing strange problem with EFS on my domain, and
wonder
if
any one can help me understand what is happening.
I have recently configured EFS group policy, created recovery
agent,
and apply it on domain level.
Now users are able to encrypt files, but there is no Recovery
agent
in
the list when I open Encryption details window.
All domain controllers are Win2003 (Win 2000 native function
level)
and
workstations are WinXP.
Can any one give me some ideas where it went wrong?
Regards,
Yuriy.
.
- References:
- EFS files without recovery agent
- From: nepyyvoda
- Re: EFS files without recovery agent
- From: Steven L Umbach
- Re: EFS files without recovery agent
- From: S0k1l
- Re: EFS files without recovery agent
- From: Steven L Umbach
- Re: EFS files without recovery agent
- From: Steven L Umbach
- Re: EFS files without recovery agent
- From: Yuriy
- Re: EFS files without recovery agent
- From: Steven L Umbach
- Re: EFS files without recovery agent
- From: Yuriy
- EFS files without recovery agent
- Prev by Date: Re: Creating a Thread as a different user?
- Next by Date: Re: Group policy assistance
- Previous by thread: Re: EFS files without recovery agent
- Next by thread: Re: EFS files without recovery agent
- Index(es):
Relevant Pages
|
