Re: EFS Group Policy

From: David Cross [MS] (
Date: 05/04/03

Date: Sat, 3 May 2003 16:25:40 -0700

Domain Policy always takes precedence over local policy for machines that
are joined to the domain. So all you need to do is configured a DRA for the
domain, and you are all set.

This article may help you:

David B. Cross [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"BobS" <> wrote in message
> Need clarification:
> I'm trying to create a situation where I have one person in the domain
> can decrypt all encrypted fils in the domain including files encrypted on
> workstations.  I do not want to use the local workstation EFS policy at
> As a matter of fact I want to disable the local EFS policy alltogeather so
> that there is no conflict between domain encryption keys, and local
> workstation encryption keys.  I want all files that are to be encrypted on
> both workstations, and servers to use the domain policy for encryption,
> not use local encryption policy/keys at all.  I'm trying to do this
> I do not want to have to backup the workstations encryption keys, or be
> worried if a local workstaion gets hosed up and I cannot recover the local
> recovery agent key.
> Is this possible?
> I want to create a blank EFS local policy on all my workstations in the
> domain.  This will disable EFS from functioning from the local policy.
> I would like to assign a user in the domain as the recovery agent, and
> this person a recovery certificate from our root certificate authority to
> this person for the purpose of decrypting file.  Then I would to create a
> domian policy and assign with this person's recovery certificate as the
> recovery agent.  Does this work? Does anyone have any docs that will
> these steps?