Re: Remove domain user ability to encrypt files

From: Star Fleet Admiral Q (Star_Fleet_Admiral_Q(NOSPAM)_at_(SPAMNOT)hotmail.com)
Date: 08/26/04

• Next message: Bill Glidden: "Re: Unable to Ping PCs after SP2"
• Previous message: cammac: "SP2 Went Great!"
• In reply to: Ryan Nordman: "Remove domain user ability to encrypt files"
• Next in thread: Ryan Nordman: "Re: Remove domain user ability to encrypt files"
• Reply: Ryan Nordman: "Re: Remove domain user ability to encrypt files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 25 Aug 2004 21:08:22 -0400

My suggestion - instead of trying to defeat encryption, why not just
designation the "domain" administrator as the recovery agent for all domain
users - then guess what, whether it is encrypted or not, the domain
administrator can do with it what he/she pleases.

-- 
Star Fleet Admiral Q @ your service
*************************************************
"Ryan Nordman" <spacerobots@hotmail.com> wrote in message 
news:7ffe4526.0408251526.24940e16@posting.google.com...
> Hi,
>
> We're running an entirely Windows Server 2003 network with Windows XP
> Pro client machines.
>
> I'm trying to find a way to remove users ability to encrypt their
> files.  The extra tricky part is that it has to work in conjuction
> with folder redirection.  What we want to have is local machines where
> none of the user's documents or files can be stored locally, they will
> only have permissions to save documents in their My Documents folder.
> The My Documents folder will be redirected to a server's shared
> folder.  But we don't want users to be able to encrypt their files so
> that they can't be recovered by an administrator (our organization
> will be dealing with sensitive client data that could need to be
> recovered from an employee, so we can't have them encrypting their
> files).
>
> The solution I'm working towards is to find a way to remove the
> "Encrypt contents to secure data" check box from the Properties ->
> "Advanced..." button.  Is there a way to lock this out with group
> policy or something?  So far I don't see a way.  I've found some
> information about how I could lock this down with NTFS folder
> permissions regarding writing folder attributes, but since these
> folders are redirected, they get automatically created by the user
> account on the file share when they login, so each user has full
> control of their own directory and I don't see how to automate locking
> down each one (besides maybe some advanced scripting).
>
> Any input would be greatly appreciated!
> -Ryan 

---

• Next message: Bill Glidden: "Re: Unable to Ping PCs after SP2"
• Previous message: cammac: "SP2 Went Great!"
• In reply to: Ryan Nordman: "Remove domain user ability to encrypt files"
• Next in thread: Ryan Nordman: "Re: Remove domain user ability to encrypt files"
• Reply: Ryan Nordman: "Re: Remove domain user ability to encrypt files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)