Warning: iconv_mime_decode() [function.iconv-mime-decode]: Malformed string in /home/secureg/public_html/lib/standard.lib.php on line 2251
default domain policy + EFS
default domain policy + EFS

default domain policy + EFS
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
default domain policy + EFS Rob 06-07-2007
Posted by =?Utf-8?B?Um9i?= on June 7, 2007, 10:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
W2000 AD with W2000 pro & XP pro sp2 clients
All domain admin pcs are xp pro sp2 with gpmc installed

I have implemented EFS and it's all tested ok with the exception of one
problem:

I would like to disable EFS across the domain and only allow specific user
OU's to be able to use EFS. For that purpose I have created a policy
defining the recovery agents - these are the same agents that already exist
in the default domain policy.

The problem is that if I uncheck the "allow user to encrypt..." box (thereby
disabling EFS) my policy allowing EFS loses out to the default domain policy.

I have tried to create a 'No policy' by deleting the recovery agents but
this did not seem to work.
Any ideas anyone?
thanks

Posted by RedForeman on June 7, 2007, 4:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> W2000 AD with W2000 pro & XP pro sp2 clients
> All domain admin pcs are xp pro sp2 with gpmc installed
>
> I have implemented EFS and it's all tested ok with the exception of one
> problem:
>
> I would like to disable EFS across the domain and only allow specific user
> OU's to be able to use EFS. For that purpose I have created a policy
> defining the recovery agents - these are the same agents that already exist
> in the default domain policy.
>
> The problem is that if I uncheck the "allow user to encrypt..." box (thereby
> disabling EFS) my policy allowing EFS loses out to the default domain policy.
>
> I have tried to create a 'No policy' by deleting the recovery agents but
> this did not seem to work.
> Any ideas anyone?
> thanks

Couldn't you have more than one OU? Specific EFS users on one OU,
others in another....

or am I missing something?


Posted by Brian Komar on June 7, 2007, 7:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Thu, 07 Jun 2007 20:17:47 -0000, RedForeman wrote:

>> W2000 AD with W2000 pro & XP pro sp2 clients
>> All domain admin pcs are xp pro sp2 with gpmc installed
>>
>> I have implemented EFS and it's all tested ok with the exception of one
>> problem:
>>
>> I would like to disable EFS across the domain and only allow specific user
>> OU's to be able to use EFS. For that purpose I have created a policy
>> defining the recovery agents - these are the same agents that already exist
>> in the default domain policy.
>>
>> The problem is that if I uncheck the "allow user to encrypt..." box (thereby
>> disabling EFS) my policy allowing EFS loses out to the default domain policy.
>>
>> I have tried to create a 'No policy' by deleting the recovery agents but
>> this did not seem to work.
>> Any ideas anyone?
>> thanks
>
> Couldn't you have more than one OU? Specific EFS users on one OU,
> others in another....
>
> or am I missing something?

The big thing you are missing is that EFS policy is a *machine* policy, not
a user policy. It is the machine accounts that are affected by the policy,
not the user accounts.
You are changing a policy that does not apply to the machine accounts
(assuming they are not in the same OU), so of course the domain policy is
being applied
Brian

Posted by =?Utf-8?B?Um9i?= on June 8, 2007, 3:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Sorry, I didn't explain that well.

I didn't mean a User policy - I just meant that I have an OU containing
user/ computer accounts that I want to have EFS enabled on and I want all
other user/ computer accounts on the domain to have disabled EFS.

So, on my default domain policy, if I uncheck the "allow users to use EFS"
this prevents all users from using EFS and my downlevel policy - linked to
the OU that allows EFS - is overruled by the default domain policy.

If I leave the box checked but delete all the recovery agents this has no
effect either - other users can still encrypt.

If I uncheck the box and delete the RAs, the default domain policy still
overrides.

I have also selected to enforce the linked policy and set the precedence so
that the allow EFS OU is the last to be applied.

I'm testing whther the policy has been applied using the gpmc tool.
I've had a look at:
http://support.microsoft.com/kb/222022
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_cjqo.mspx?mfr=true

but I can't see how I can disable EFS for some users and allow others if the
original setting (by that I mean when the administrator first logged on) is
in the default domain policy.

Thanks
"Brian Komar" wrote:

> On Thu, 07 Jun 2007 20:17:47 -0000, RedForeman wrote:
>
> >> W2000 AD with W2000 pro & XP pro sp2 clients
> >> All domain admin pcs are xp pro sp2 with gpmc installed
> >>
> >> I have implemented EFS and it's all tested ok with the exception of one
> >> problem:
> >>
> >> I would like to disable EFS across the domain and only allow specific user
> >> OU's to be able to use EFS. For that purpose I have created a policy
> >> defining the recovery agents - these are the same agents that already exist
> >> in the default domain policy.
> >>
> >> The problem is that if I uncheck the "allow user to encrypt..." box (thereby
> >> disabling EFS) my policy allowing EFS loses out to the default domain
policy.
> >>
> >> I have tried to create a 'No policy' by deleting the recovery agents but
> >> this did not seem to work.
> >> Any ideas anyone?
> >> thanks
> >
> > Couldn't you have more than one OU? Specific EFS users on one OU,
> > others in another....
> >
> > or am I missing something?
>
> The big thing you are missing is that EFS policy is a *machine* policy, not
> a user policy. It is the machine accounts that are affected by the policy,
> not the user accounts.
> You are changing a policy that does not apply to the machine accounts
> (assuming they are not in the same OU), so of course the domain policy is
> being applied
> Brian
>

Posted by RedForeman on June 8, 2007, 9:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> On Thu, 07 Jun 2007 20:17:47 -0000, RedForeman wrote:
> >> W2000 AD with W2000 pro & XP pro sp2 clients
> >> All domain admin pcs are xp pro sp2 with gpmc installed
>
> >> I have implemented EFS and it's all tested ok with the exception of one
> >> problem:
>
> >> I would like to disable EFS across the domain and only allow specific user
> >> OU's to be able to use EFS. For that purpose I have created a policy
> >> defining the recovery agents - these are the same agents that already exist
> >> in the default domain policy.
>
> >> The problem is that if I uncheck the "allow user to encrypt..." box (thereby
> >> disabling EFS) my policy allowing EFS loses out to the default domain
policy.
>
> >> I have tried to create a 'No policy' by deleting the recovery agents but
> >> this did not seem to work.
> >> Any ideas anyone?
> >> thanks
>
> > Couldn't you have more than one OU? Specific EFS users on one OU,
> > others in another....
>
> > or am I missing something?
>
> The big thing you are missing is that EFS policy is a *machine* policy, not
> a user policy. It is the machine accounts that are affected by the policy,
> not the user accounts.
> You are changing a policy that does not apply to the machine accounts
> (assuming they are not in the same OU), so of course the domain policy is
> being applied
> Brian- Hide quoted text -
>
> - Show quoted text -

Gotcha.... thanks.


Similar ThreadsPosted
Default domain Policy error August 29, 2006, 8:49 pm
Can we default to a trusted domain in IIS prompt? December 27, 2005, 1:11 pm
Domain Policy vs Local Policy September 29, 2005, 5:02 pm
Password policy change on domain September 28, 2006, 9:25 am
Password policy in domain 2003 April 28, 2008, 7:21 am
Domain Group Policy is not applying to workstation March 15, 2006, 2:11 pm
Unable to reset 2003 domain password policy. October 17, 2006, 8:21 am
domaine vergabe free de domains domain de eu domain name registrieren de be domain July 28, 2008, 4:14 pm
Default GPO January 27, 2006, 1:49 pm
default username March 11, 2006, 3:43 am

The site map in XML format XML site map

Contact Us | Privacy Policy