Re: Remove domain user ability to encrypt files
From: Ryan Nordman (spacerobots_at_hotmail.com)
Date: 08/26/04
- Next message: Torgeir Bakken \(MVP\): "Re: NO Password and NO Windows XP CD!"
- Previous message: Peter: "Re: NO Password and NO Windows XP CD!"
- In reply to: Star Fleet Admiral Q: "Re: Remove domain user ability to encrypt files"
- Next in thread: Torgeir Bakken \(MVP\): "Re: Remove domain user ability to encrypt files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Aug 2004 13:25:32 -0700
Right, well, that's fine as long as the recovery agent assignment
works and everything, but if something goes wrong... I mean, why
bother if we can just not have encrypted files at all?
"Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NOSPAM)@(SPAMNOT)hotmail.com> wrote in message news:<esUgykwiEHA.3428@TK2MSFTNGP11.phx.gbl>...
> My suggestion - instead of trying to defeat encryption, why not just
> designation the "domain" administrator as the recovery agent for all domain
> users - then guess what, whether it is encrypted or not, the domain
> administrator can do with it what he/she pleases.
>
> --
>
> Star Fleet Admiral Q @ your service
>
> *************************************************
>
> "Ryan Nordman" <spacerobots@hotmail.com> wrote in message
> news:7ffe4526.0408251526.24940e16@posting.google.com...
> > Hi,
> >
> > We're running an entirely Windows Server 2003 network with Windows XP
> > Pro client machines.
> >
> > I'm trying to find a way to remove users ability to encrypt their
> > files. The extra tricky part is that it has to work in conjuction
> > with folder redirection. What we want to have is local machines where
> > none of the user's documents or files can be stored locally, they will
> > only have permissions to save documents in their My Documents folder.
> > The My Documents folder will be redirected to a server's shared
> > folder. But we don't want users to be able to encrypt their files so
> > that they can't be recovered by an administrator (our organization
> > will be dealing with sensitive client data that could need to be
> > recovered from an employee, so we can't have them encrypting their
> > files).
> >
> > The solution I'm working towards is to find a way to remove the
> > "Encrypt contents to secure data" check box from the Properties ->
> > "Advanced..." button. Is there a way to lock this out with group
> > policy or something? So far I don't see a way. I've found some
> > information about how I could lock this down with NTFS folder
> > permissions regarding writing folder attributes, but since these
> > folders are redirected, they get automatically created by the user
> > account on the file share when they login, so each user has full
> > control of their own directory and I don't see how to automate locking
> > down each one (besides maybe some advanced scripting).
> >
> > Any input would be greatly appreciated!
> > -Ryan
- Next message: Torgeir Bakken \(MVP\): "Re: NO Password and NO Windows XP CD!"
- Previous message: Peter: "Re: NO Password and NO Windows XP CD!"
- In reply to: Star Fleet Admiral Q: "Re: Remove domain user ability to encrypt files"
- Next in thread: Torgeir Bakken \(MVP\): "Re: Remove domain user ability to encrypt files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
