D
Dirk Roesler
Hi,
how can i disable EFS on XP in LAN?
Thanks Dirk
how can i disable EFS on XP in LAN?
Thanks Dirk
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
Mike Brannigan [MSFT]
Disabling EFS
EFS is enabled by default but can be disabled for individual files or
individual file folders, or disabled entirely for a computer or domain.
Disabling EFS for a stand-alone computer requires adding an entry to the
registry.
Disabling EFS for an Individual File
Although files can be made unencryptable by setting the system attribute or
placing the file in the %systemroot% folder or any of its subfolders, these
options are undesirable in many cases. For example, system files are also
normally hidden from view, and a user might want a file that is
unencryptable to be visible to other users.
Note Even with Write permission, users cannot encrypt files or folders in
the %systemroot% folder, or files or folders that have their system
attribute set. If these types of files and folders could be encrypted, it
might render the system useless. This is because many of these files are
needed for the system to start up, and decryption keys are not available
during the startup process to decrypt them.
Denying Write permissions for a file also makes it unencryptable by the
users or groups within the scope of the denial. Simply attributing the file
as read-only, however, does not prevent encryption. A user who has Write
permissions can encrypt read-only files.
In most cases, the best solution is to disable EFS for a folder rather than
an individual file.
Disabling EFS for a File Folder
To disable encryption within a folder, create a file called Desktop.ini that
contains:
[Encryption]
Disable=1
Save the file in the directory in which you want to disable EFS. If a user
attempts to encrypt the folder or any files in the folder, a message tells
the user that "An error occurred applying attributes to the file: filename.
The directory has been disabled for encryption."
Note The Desktop.ini file affects only the current folder and the files in
it. If you create a subfolder, both the subfolder and any files in it can be
encrypted. Also, encrypted files can be copied or moved, without losing
their encryption, into the directory that contains the Desktop.ini file.
Disabling EFS for a Stand-Alone Computer
A registry entry must be added to disable EFS for a stand-alone computer.
To disable EFS on a stand-alone computer by editing the registry
1.. In the Run dialog box, type regedit.exe.
2.. Navigate to the subkey HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft
\Windows NT\CurrentVersion\EFS.
3.. On the Edit menu, point to New, and then click DWORD Value.
4.. Enter EfsConfiguration for the value name and 1 for the value data to
disable EFS (a value of 0 enables EFS).
5.. Restart the computer.
6.. If EFS is disabled and a user tries to encrypt a file or folder, a
message tells the user that "An error occurred applying attributes to the
file: filename. The directory has been disabled for encryption."
Disabling EFS throughout a Windows 2000/3-based Domain to Modify the
"Default Domain Policy" Group Policy Object
1.. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2.. View the appropriate node for your domain, right click this node, and
then click Properties.
3.. Click the Group Policy tab, click the Default Domain Policy GPO, and
then click Edit. Note that you do not need to use the Default Domain Policy,
you can use a new GPO such as Disable EFS to accomplish the same task.
4.. In the Group Policy Editor Snap-In, view the following node:
Default Domain Policy\Computer Configuration\Windows Settings\Security
Settings\Public Key Policies\Encrypted Data Recovery Agents
NOTE: If any certificates exist in the right side pane, delete them.
5.. Right-click the Encrypted Data Recovery Agents node, click Delete
Policy, and then click Yes.
6.. Right-click the Encrypted Data Recovery Agents node, and then click
Initialize Empty Policy.
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
EFS is enabled by default but can be disabled for individual files or
individual file folders, or disabled entirely for a computer or domain.
Disabling EFS for a stand-alone computer requires adding an entry to the
registry.
Disabling EFS for an Individual File
Although files can be made unencryptable by setting the system attribute or
placing the file in the %systemroot% folder or any of its subfolders, these
options are undesirable in many cases. For example, system files are also
normally hidden from view, and a user might want a file that is
unencryptable to be visible to other users.
Note Even with Write permission, users cannot encrypt files or folders in
the %systemroot% folder, or files or folders that have their system
attribute set. If these types of files and folders could be encrypted, it
might render the system useless. This is because many of these files are
needed for the system to start up, and decryption keys are not available
during the startup process to decrypt them.
Denying Write permissions for a file also makes it unencryptable by the
users or groups within the scope of the denial. Simply attributing the file
as read-only, however, does not prevent encryption. A user who has Write
permissions can encrypt read-only files.
In most cases, the best solution is to disable EFS for a folder rather than
an individual file.
Disabling EFS for a File Folder
To disable encryption within a folder, create a file called Desktop.ini that
contains:
[Encryption]
Disable=1
Save the file in the directory in which you want to disable EFS. If a user
attempts to encrypt the folder or any files in the folder, a message tells
the user that "An error occurred applying attributes to the file: filename.
The directory has been disabled for encryption."
Note The Desktop.ini file affects only the current folder and the files in
it. If you create a subfolder, both the subfolder and any files in it can be
encrypted. Also, encrypted files can be copied or moved, without losing
their encryption, into the directory that contains the Desktop.ini file.
Disabling EFS for a Stand-Alone Computer
A registry entry must be added to disable EFS for a stand-alone computer.
To disable EFS on a stand-alone computer by editing the registry
1.. In the Run dialog box, type regedit.exe.
2.. Navigate to the subkey HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft
\Windows NT\CurrentVersion\EFS.
3.. On the Edit menu, point to New, and then click DWORD Value.
4.. Enter EfsConfiguration for the value name and 1 for the value data to
disable EFS (a value of 0 enables EFS).
5.. Restart the computer.
6.. If EFS is disabled and a user tries to encrypt a file or folder, a
message tells the user that "An error occurred applying attributes to the
file: filename. The directory has been disabled for encryption."
Disabling EFS throughout a Windows 2000/3-based Domain to Modify the
"Default Domain Policy" Group Policy Object
1.. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2.. View the appropriate node for your domain, right click this node, and
then click Properties.
3.. Click the Group Policy tab, click the Default Domain Policy GPO, and
then click Edit. Note that you do not need to use the Default Domain Policy,
you can use a new GPO such as Disable EFS to accomplish the same task.
4.. In the Group Policy Editor Snap-In, view the following node:
Default Domain Policy\Computer Configuration\Windows Settings\Security
Settings\Public Key Policies\Encrypted Data Recovery Agents
NOTE: If any certificates exist in the right side pane, delete them.
5.. Right-click the Encrypted Data Recovery Agents node, click Delete
Policy, and then click Yes.
6.. Right-click the Encrypted Data Recovery Agents node, and then click
Initialize Empty Policy.
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups