Re: Enable EFS --- GPO Problem

Try moving the computers into another OU that is a child of the domain OU
and then have only the GPO that allows EFS to be linked to that OU and move
the computers into that OU to see what happens. Offhand it sounds like you
have your Group Policy configured correctly and it should work the way you
expect so I am not quite sure what is going on but it would be interesting
to try another OU. However first before trying anything else verify that the
GPO that you are using to enable EFS has the computer configuration settings
enabled, is linked to the OU, and that the computers in question have read
and apply permissions for that GPO which normally would be through
authenticated users group. --- Steve


"FIMJIM" <gzime.djoka@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1151426366.207563.298720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I've just configured a Windows server 2003 PKI in the company I'm
working for, unfortunately we are experiencing some difficulties while
trying to put it into production.

Basically, EFS is disabled by the Default Domain Policy GPO, and
another one.
I want to enable EFS on a subset of computers, so I created an OU and
applied a GPO that is supposed to allow users to use EFS on the
machines (XP SP2) located in this OU.
Unfortunately EFS is not enabled on those machines.

Group Policy Management Snap-in is telling me that the "EFS-enabling"
GPO is the last one being applied, but the Group Policy Results tool
shows that one EFS blocking GPO (not the default global policy) is
still winning, even if I enforce the EFS-Enabling GPO !

Is it due to the fact tha the Default Domain Policy is disabling EFS by
default?
Is it due to the fact that 2 GPOs are blocking EFS, while just one (the
last one being applied) is permitting it?
Does it have anything to do with GPOs applied on Domain Controllers?

I'd be happy to share your thoughts on this obscure problem...


Thanks,

Jim



.

Relevant Pages

  • Re: Applying user object policy (filtering based on computer location)
    ... should have the GPO applied via loopback when logging into ... the computers in NY Desktops OU, ... I have a OU called "NY DESKTOPS" - I created a new policy and enabled Loopback processing mode. ...
    (microsoft.public.win2000.group_policy)
  • RE: Im falling my hairs with this domain gpo problem
    ... Where is the GPO linked? ... Do Authenticated users and Domain Computers have permissions to "Apply ... I'm having problem with a domain policy. ... only local security policy was showed in the gpresult log (for ...
    (Focus-Microsoft)
  • Re: SBS2K Offline File Question
    ... When I rename one group policy, ... > caching for client computers using GPO. ... > all the policy in this folder is related to the offline files. ...
    (microsoft.public.windows.server.sbs)
  • Re: cant override screen saver policy
    ... > Settings in the User Configuration part of a GPO always apply to User ... > users log on to specific computers, then enable Loopback processing in a GPO ... >> don't get this policy setting. ...
    (microsoft.public.win2000.group_policy)
  • FW: Im falling my hairs with this domain gpo problem
    ... Where is the GPO linked? ... Do Authenticated users and Domain Computers have permissions to "Apply ... I'm having problem with a domain policy. ... only local security policy was showed in the gpresult log (for ...
    (Focus-Microsoft)