Re: EFS Group Policy

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 05/04/03


Date: Sat, 3 May 2003 16:25:40 -0700


Domain Policy always takes precedence over local policy for machines that
are joined to the domain. So all you need to do is configured a DRA for the
domain, and you are all set.

This article may help you:
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"BobS" <bobs@itproscorp.com> wrote in message
news:%23MF6JyaEDHA.2264@TK2MSFTNGP12.phx.gbl...
> Need clarification:
> I'm trying to create a situation where I have one person in the domain
that
> can decrypt all encrypted fils in the domain including files encrypted on
> workstations.  I do not want to use the local workstation EFS policy at
all.
> As a matter of fact I want to disable the local EFS policy alltogeather so
> that there is no conflict between domain encryption keys, and local
> workstation encryption keys.  I want all files that are to be encrypted on
> both workstations, and servers to use the domain policy for encryption,
and
> not use local encryption policy/keys at all.  I'm trying to do this
because
> I do not want to have to backup the workstations encryption keys, or be
> worried if a local workstaion gets hosed up and I cannot recover the local
> recovery agent key.
>
> Is this possible?
>
> I want to create a blank EFS local policy on all my workstations in the
> domain.  This will disable EFS from functioning from the local policy.
Then
> I would like to assign a user in the domain as the recovery agent, and
issue
> this person a recovery certificate from our root certificate authority to
> this person for the purpose of decrypting file.  Then I would to create a
> domian policy and assign with this person's recovery certificate as the
> recovery agent.  Does this work? Does anyone have any docs that will
detail
> these steps?
>
>


Relevant Pages

  • Re: Handheld device remote networking issues into RAS
    ... I set "Store password using reverisble encryption for all users in the ... This is off by default in server 2003. ... >> The user domain\user failed an authentication attempt due to the ... >> password policy or the password settings on the user account. ...
    (microsoft.public.windows.server.networking)
  • Re: Prevent copying files from CDROM
    ... policy can be overridden by a higher level policy in a domain. ... offer EFS encryption which only ... On CD I burn some presentation files. ... > copied down from the CD if I don't have a chance to disable ...
    (microsoft.public.security)
  • Re: EFS Recovery Agent
    ... Domain policy overrides local policy. ... > I do not think that is true, it is useless to give someones keys of RA ... > because that user has done the encryption with other Policies. ... > a) Import Certificate in Certif. ...
    (microsoft.public.windows.server.security)
  • EFS Group Policy
    ... I do not want to use the local workstation EFS policy at all. ... that there is no conflict between domain encryption keys, ... both workstations, and servers to use the domain policy for encryption, and ... I would like to assign a user in the domain as the recovery agent, ...
    (microsoft.public.win2000.security)
  • Re: Workstations are going offline! Help!
    ... This is what I would do: keep an eye on those workstations to make sure ... Settings -> Security Settings and click Password Policy. ... won't start, or if you're seeing any symptoms, please check your event logs ... When offline files are in use and you are offline (but still ...
    (microsoft.public.windows.server.sbs)