Enabling EFS for a Specific Set of Computers!

G

Guest

In a native Windows Server 2003 Domain environment integrated with Microsoft
Public Key Infrastructure, I would like to enable Encrypting File System to a
specific set of computers ONLY.
I tried to set the GPO setting "Allow users to encrypt files using
Encrypting File System (EFS)" to "Disabled" at domain level and to "Enabled"
at OU level, but it does not work. "Disabled" always wins.

At the bottom of "Step-by-Step Guide to Using the Encrypting File System"
document, it is explained how "Disabling EFS for a Specific Set of
Computers", I know it works because "Disabled" always wind, but I need to
configure the opposite behaviour!
http://www.microsoft.com/technet/pr...hnologies/activedirectory/stepbystep/efs.mspx

Does someone know how to solve/workaround this problem which is apparently
not
solvable.

Thanks in advance.
Gabriele.
 
S

Steven L Umbach

Make sure that the computer accounts you want to enable EFS on are in the
OU that have the GPO linked to it that enables EFS and that you have
rebooted a computer you are testing it on. Also make sure that the domain
level GPO that has it disabled is not enforced [configured for do not
override]. If none of that helps try enabling it at the domain level and
disabling it at the OU level, move a couple computer that you want to
disable it on into the OU, reboot one and see what happens then. I would
also run rsop.msc on one of the computers to see what is shown as the
applied policy for that setting to see if it is what you expect.

Steve
 
G

Guest

The disabled EFS policy setting will always rule. This was the design in
Server 2003 and Windows XP. You can work around that by blocking policy
inheritance at the OU level.

Thanks.
Pat
 
G

Guest

Pat, thanks for your reply.

I don't see the block inheritance workaround feasible, becuase we've a
location-based OU design.
My idea indeed was to play with GPO security filtering to allow EFS on a
group of computers (basically an AD security group), that are actually spread
around multiple OUs.

My initial question was generic about disabling EFS at OU level, just to
understand if disabled EFS policy setting will always rule.

EFS is a pretty good tool, but I think there's much room for improvement.

Regards,
Gabriele
 
G

Guest

This will not be of help to you now, but EFS policy has been significantly
re-designed and expanded in Windows Vista. The new design will allow
enabling and disabling at any level without being overruled by a higher
policy. There are also many new options that have been added that allow you
to control certificate key sizes, certificate templates that EFS enrolls by,
encrypting with smart cards, notifications to back up EFS certificates, etc.
Something to keep in mind and look for.

Thanks.
Pat
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS for XP 2
EFS Auto enroll 0
Weirdness when disable EFS via Group Policy 7
This machine is disabled for file encryption 0
DFS , EFS and NTFRFS 4
DFS , EFS and NTFRS 8
Letting Others Open Encrypted Files on a Network Share 3
Offer Remote Assistance - "Permission denied" - Windows XP SP2 2

Top