G
Guest
Our environment is 2000 AD with XP Pro sp2 & 2000 pro clients.
We want to encrypt the XP sp2 laptops issued to our mobile users.
I have created group policies to redirect the user’s My Documents folder to
a file share on a server and also created the offline settings to encrypt
offline folders.
I’m still a little confused about efs and have posted a couple of questions
(having read the stepbystep guide and also the technet doc about efs in xp
and 2003):
- I have a post entitled EFS DRA policy which asks about multiple locally
issued certificates
- I have a post entitled Event id 80 & 77 about a query on installing an
Ent CA.
With regards to data recovery, I’m unsure of the scenario that we would need
it but want to understand and use it from a best practice perspective.
We do not encrypt our server file share and I have disabled efs in the
default domain policy. So, when the users logs on/ off the file syncs and
becomes unencrypted on the file share so no problem there with recovery.
If the user suddenly leaves (or worst case – dies) we can reset the password
and recover documents.
The only scenario will be if the laptop is stolen, then the data should be
protected. Should we get it back, then we can recover onto our server as
normal.
My understanding of the way efs + dra works is that you have a recovery pc
and you install the dra certificate onto that pc (into which area?). Then
you can either copy the files across or use backup and restore. I have
installed an Ent CA and assigned my user a/c as the dra. I’ve imported my
file recovery certificate into my personal certificates area and also into
the AD user object area.
However, while I have been testing I cannot get some aspects working:
I created an encrypted folder on the laptop and logged in a local user and
also a domain user and created a file for each. As would be expected, access
was denied for all users including local admin, domain admin and myself (the
dra).
How do I gain access to this files? I cannot move or copy these files onto
my pc - the recovery pc.
I have also logged in as 2 domain users - t1 and t2 - and created docs in
their My Documents folders, while on the network.
These were then sync’d to the server share and are unencrypted.
If I log in as these users (off the network) I can open the respective
files from offline – as expected.
If I log in as myself (off the network) I can browse to c:\documents and
settings\t1\desktop and I cannot open the offline folders – as expected nor
can I open the recent docs. If I then browse to c:\documents and
settings\t2\desktop, I can get into offline folders (but cannot open any
files) and under properties, encryption doesn’t appear to be checked.
This doesn’t appear to be correct.
I’d really appreciate any help as I’m having one of those days….
We want to encrypt the XP sp2 laptops issued to our mobile users.
I have created group policies to redirect the user’s My Documents folder to
a file share on a server and also created the offline settings to encrypt
offline folders.
I’m still a little confused about efs and have posted a couple of questions
(having read the stepbystep guide and also the technet doc about efs in xp
and 2003):
- I have a post entitled EFS DRA policy which asks about multiple locally
issued certificates
- I have a post entitled Event id 80 & 77 about a query on installing an
Ent CA.
With regards to data recovery, I’m unsure of the scenario that we would need
it but want to understand and use it from a best practice perspective.
We do not encrypt our server file share and I have disabled efs in the
default domain policy. So, when the users logs on/ off the file syncs and
becomes unencrypted on the file share so no problem there with recovery.
If the user suddenly leaves (or worst case – dies) we can reset the password
and recover documents.
The only scenario will be if the laptop is stolen, then the data should be
protected. Should we get it back, then we can recover onto our server as
normal.
My understanding of the way efs + dra works is that you have a recovery pc
and you install the dra certificate onto that pc (into which area?). Then
you can either copy the files across or use backup and restore. I have
installed an Ent CA and assigned my user a/c as the dra. I’ve imported my
file recovery certificate into my personal certificates area and also into
the AD user object area.
However, while I have been testing I cannot get some aspects working:
I created an encrypted folder on the laptop and logged in a local user and
also a domain user and created a file for each. As would be expected, access
was denied for all users including local admin, domain admin and myself (the
dra).
How do I gain access to this files? I cannot move or copy these files onto
my pc - the recovery pc.
I have also logged in as 2 domain users - t1 and t2 - and created docs in
their My Documents folders, while on the network.
These were then sync’d to the server share and are unencrypted.
If I log in as these users (off the network) I can open the respective
files from offline – as expected.
If I log in as myself (off the network) I can browse to c:\documents and
settings\t1\desktop and I cannot open the offline folders – as expected nor
can I open the recent docs. If I then browse to c:\documents and
settings\t2\desktop, I can get into offline folders (but cannot open any
files) and under properties, encryption doesn’t appear to be checked.
This doesn’t appear to be correct.
I’d really appreciate any help as I’m having one of those days….