Re: EFS Group Policy

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 05/04/03


Date: Sat, 3 May 2003 16:25:40 -0700


Domain Policy always takes precedence over local policy for machines that
are joined to the domain. So all you need to do is configured a DRA for the
domain, and you are all set.

This article may help you:
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"BobS" <bobs@itproscorp.com> wrote in message
news:%23MF6JyaEDHA.2264@TK2MSFTNGP12.phx.gbl...
> Need clarification:
> I'm trying to create a situation where I have one person in the domain
that
> can decrypt all encrypted fils in the domain including files encrypted on
> workstations.  I do not want to use the local workstation EFS policy at
all.
> As a matter of fact I want to disable the local EFS policy alltogeather so
> that there is no conflict between domain encryption keys, and local
> workstation encryption keys.  I want all files that are to be encrypted on
> both workstations, and servers to use the domain policy for encryption,
and
> not use local encryption policy/keys at all.  I'm trying to do this
because
> I do not want to have to backup the workstations encryption keys, or be
> worried if a local workstaion gets hosed up and I cannot recover the local
> recovery agent key.
>
> Is this possible?
>
> I want to create a blank EFS local policy on all my workstations in the
> domain.  This will disable EFS from functioning from the local policy.
Then
> I would like to assign a user in the domain as the recovery agent, and
issue
> this person a recovery certificate from our root certificate authority to
> this person for the purpose of decrypting file.  Then I would to create a
> domian policy and assign with this person's recovery certificate as the
> recovery agent.  Does this work? Does anyone have any docs that will
detail
> these steps?
>
>