Re: EFS Group Policy
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: Sat, 3 May 2003 16:25:40 -0700
Domain Policy always takes precedence over local policy for machines that
are joined to the domain. So all you need to do is configured a DRA for the
domain, and you are all set.
This article may help you:
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "BobS" <email@example.com> wrote in message news:%23MF6JyaEDHA.2264@TK2MSFTNGP12.phx.gbl... > Need clarification: > I'm trying to create a situation where I have one person in the domain that > can decrypt all encrypted fils in the domain including files encrypted on > workstations. I do not want to use the local workstation EFS policy at all. > As a matter of fact I want to disable the local EFS policy alltogeather so > that there is no conflict between domain encryption keys, and local > workstation encryption keys. I want all files that are to be encrypted on > both workstations, and servers to use the domain policy for encryption, and > not use local encryption policy/keys at all. I'm trying to do this because > I do not want to have to backup the workstations encryption keys, or be > worried if a local workstaion gets hosed up and I cannot recover the local > recovery agent key. > > Is this possible? > > I want to create a blank EFS local policy on all my workstations in the > domain. This will disable EFS from functioning from the local policy. Then > I would like to assign a user in the domain as the recovery agent, and issue > this person a recovery certificate from our root certificate authority to > this person for the purpose of decrypting file. Then I would to create a > domian policy and assign with this person's recovery certificate as the > recovery agent. Does this work? Does anyone have any docs that will detail > these steps? > >