Re: Enabling EFS in only one OU

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 09/01/04

Next message: Dmitry Korolyov [MVP]: "Re: Network security: Force logoff when logon hours expire"
Previous message: Mike Cason: "Re: Group Policy - Terminal Server"
In reply to: Ryan Nordman: "Enabling EFS in only one OU"
Next in thread: Ryan Nordman: "Re: Enabling EFS in only one OU"
Reply: Ryan Nordman: "Re: Enabling EFS in only one OU"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 1 Sep 2004 10:29:11 +0400

You can disable it in a domain-wide policy, for example Default Domain
Policy. Then you can create an additional GPO, define the setting to enable
EFS, and link this GPO to the OU with your laptop accounts.

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Active Directory
  "Ryan Nordman" <spacerobots@hotmail.com> wrote in message
news:7ffe4526.0408310836.5cd27e07@posting.google.com...
  Hi, I just wanted to check with some experts about the way the in
  Computer Configuration/Windows Settings/Security Settings/Public Key
  Policies, Properties of Encrypting File System: "Allow users to
  encrypt files using Encrypting File System" setting gets applied
  through group policy.
  In my testing so far, it seems that since this setting can only be
  Enabled or Disabled, and there is no "Not Defined" setting, if it's
  set to disabled somewhere, that automatically overrides all other GPOs
  with higher precedence that have it set to Enabled.  This is a minor
  annoyance because in our design we want to disable EFS for all
  machines in the domain except for the offline files cache of our
  laptops whose computer objects will all be in a lower level OU.  So as
  far as I can tell I need to go to each OU that contains computer
  objects and disable EFS, and make sure that it is not disabled in any
  OU that contains the Mobile Computers OU.  Is this correct?  Or is it
  more likely I've made a mistake in my GP settings or testing?
  Thanks,
  -Ryan

Next message: Dmitry Korolyov [MVP]: "Re: Network security: Force logoff when logon hours expire"
Previous message: Mike Cason: "Re: Group Policy - Terminal Server"
In reply to: Ryan Nordman: "Enabling EFS in only one OU"
Next in thread: Ryan Nordman: "Re: Enabling EFS in only one OU"
Reply: Ryan Nordman: "Re: Enabling EFS in only one OU"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: EFS files without recovery agent
... Someone before me has configured EFS policy in "Default Domain GPO". ... "EFS GPO" where I created Recovery agent with proper certificate. ...
(microsoft.public.security)
Re: EFS files without recovery agent
... being managed by that GPO. ... actual settings differ you need to investigate if there is a problem with GP ... before to apply EFS settings and import the new RA certificate into it under ... Someone before me has configured EFS policy in "Default Domain GPO". ...
(microsoft.public.security)
Re: Enable EFS --- GPO Problem
... Please visit the experts in the Group Policy newsgroup ... Windows - Shell/User ... | applied a GPO that is supposed to allow users to use EFS on the ...
(microsoft.public.windowsxp.security_admin)
Re: Enabling EFS in only one OU
... just a single check box for "Allow users to encrypt files using ... I enabled EFS on that GPO. ... I'll change our group policy structure so that it is ...
(microsoft.public.windows.group_policy)
Re: EFS files without recovery agent
... Another thing you could try is to move the new GPO to the top ... Default Domain Policy, but I have not delete EFS policy itself. ... It looks like I cannot clear settings that was enabled or disabled ...
(microsoft.public.security)