Remove domain user ability to encrypt files

R

Ryan Nordman

Hi,

We're running an entirely Windows Server 2003 network with Windows XP
Pro client machines.

I'm trying to find a way to remove users ability to encrypt their
files. The extra tricky part is that it has to work in conjuction
with folder redirection. What we want to have is local machines where
none of the user's documents or files can be stored locally, they will
only have permissions to save documents in their My Documents folder.
The My Documents folder will be redirected to a server's shared
folder. But we don't want users to be able to encrypt their files so
that they can't be recovered by an administrator (our organization
will be dealing with sensitive client data that could need to be
recovered from an employee, so we can't have them encrypting their
files).

The solution I'm working towards is to find a way to remove the
"Encrypt contents to secure data" check box from the Properties ->
"Advanced..." button. Is there a way to lock this out with group
policy or something? So far I don't see a way. I've found some
information about how I could lock this down with NTFS folder
permissions regarding writing folder attributes, but since these
folders are redirected, they get automatically created by the user
account on the file share when they login, so each user has full
control of their own directory and I don't see how to automate locking
down each one (besides maybe some advanced scripting).

Any input would be greatly appreciated!
-Ryan
 
S

Star Fleet Admiral Q

My suggestion - instead of trying to defeat encryption, why not just
designation the "domain" administrator as the recovery agent for all domain
users - then guess what, whether it is encrypted or not, the domain
administrator can do with it what he/she pleases.
 
R

Ryan Nordman

Right, well, that's fine as long as the recovery agent assignment
works and everything, but if something goes wrong... I mean, why
bother if we can just not have encrypted files at all?
 
T

Torgeir Bakken \(MVP\)

Ryan said:
Hi,

We're running an entirely Windows Server 2003 network with Windows XP
Pro client machines.

I'm trying to find a way to remove users ability to encrypt their
files. [snip]
Click to expand...
Hi

For Windows 2000 clients only:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/?kbid=222022

Important: Deleting the EFS recovery agent for the domain will prevent users
on computers running Windows 2000 from encrypting files; however, it will
not prevent users on computers running Windows XP and Windows Server 2003
from encrypting files. In addition, it will disable the recovery agent for
all encrypted files. If users who have previously encrypted files are unable
to decrypt their files for any reason, there will be no recovery agent to
decrypt their files.


For Windows XP Pro and Windows 2003:

How can I disable EFS on Computers Running Windows XP or Windows Server
2003?

The following procedure will show you how to use Group Policy to disable EFS
on computers running Windows XP and Windows Server 2003.

1.. Open the GPO that you want to edit. You can use Active Directory Users
and Computers or the GPMC to edit the GPO.
2.. In the Group Policy Object Editor, expand Computer Configuration,
expand Windows Settings, expand Security Settings, expand Public Key
Policies, and then click Encrypting File System.
3.. Right-click Encrypting File System, and then click Properties.
4.. Clear the Allow users to encrypt files using Encrypting File System
(EFS) check box, and then click OK.
 
R

Ryan Nordman

Marvelous! That's just what I needed. I never thought to get
properties on that Encrypting File System folder, I thought it was
just for key recovery agents. Thanks for your reply Torgeir.

-Ryan

Torgeir Bakken \(MVP\) said:
Ryan said:
Hi,

We're running an entirely Windows Server 2003 network with Windows XP
Pro client machines.

I'm trying to find a way to remove users ability to encrypt their
files. [snip]
Click to expand...
Hi

For Windows 2000 clients only:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/?kbid=222022

Important: Deleting the EFS recovery agent for the domain will prevent users
on computers running Windows 2000 from encrypting files; however, it will
not prevent users on computers running Windows XP and Windows Server 2003
from encrypting files. In addition, it will disable the recovery agent for
all encrypted files. If users who have previously encrypted files are unable
to decrypt their files for any reason, there will be no recovery agent to
decrypt their files.


For Windows XP Pro and Windows 2003:

How can I disable EFS on Computers Running Windows XP or Windows Server
2003?

The following procedure will show you how to use Group Policy to disable EFS
on computers running Windows XP and Windows Server 2003.

1.. Open the GPO that you want to edit. You can use Active Directory Users
and Computers or the GPMC to edit the GPO.
2.. In the Group Policy Object Editor, expand Computer Configuration,
expand Windows Settings, expand Security Settings, expand Public Key
Policies, and then click Encrypting File System.
3.. Right-click Encrypting File System, and then click Properties.
4.. Clear the Allow users to encrypt files using Encrypting File System
(EFS) check box, and then click OK.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FIX: Can't encrypt the Offline Files cache using Group Policy sett 0
All new files are green (encrypted?) 1
Encrypt Offline Files - Access Denied 5
HOW TO UN-ENCRYPT FILES?? 2
"Encrypt contents to secure data" is greyed out 4
How to encrypt 2 files so can't be read 5
Can no longer encrypt files 5
Decrypting files 6

Top