Re: Enabling EFS in only one OU

From: Ryan Nordman (spacerobots_at_hotmail.com)
Date: 09/08/04 

Date: 8 Sep 2004 12:46:23 -0700

Thanks for your reply Dmitry. However I'm still finding that this
isn't working as you suggest... I've tried it in a couple test
environments I have here. It's important to note that this setting is
just a single check box for "Allow users to encrypt files using
Encrypting File System". It's either enabled or disabled, and I see
no way to set it as "not defined" unlike most GP settings. As a
result, it seems to me that when it is set to enabled, it acts more
like it is not defined, allowing lower level GPOs which have this set
to disabled to override this setting.

In my test environment, I have an OU called Mobile Computers which
contains a single GPO. I enabled EFS on that GPO. At the domain
level, I created a new GPO and set EFS to disabled. After rebooting a
machine that is in the Mobile Computers OU, I ran resultant set of
policy and found that the EFS check box is unchecked. I can confirm
that EFS is disabled on this machine because I have "encrypt the
offline folder cache" set to enabled, and I receive errors regarding
offline synchronization because it cannot encrypt the cache (when I
enable EFS again, the errors go away).

Has anybody encountered this before? It strikes me as a bug/poorly
documentent feature with the way GP works regarding this setting, but
I don't want to jump to conclusions, I could be doing something wrong
on my end. I'd be interested to know if anybody else has tried doing
this. Anyway, I'll change our group policy structure so that it is
explicitly disabled at the lowest level OUs wherever we have machine
objects which should not have EFS. It's just not the best/easiest way
to manage it.

"Dmitry Korolyov [MVP]" <d k@removethispart.mail.ru> wrote in message news:<uukQb0#jEHA.2140@TK2MSFTNGP15.phx.gbl>...
> You can disable it in a domain-wide policy, for example Default Domain
> Policy. Then you can create an additional GPO, define the setting to enable
> EFS, and link this GPO to the OU with your laptop accounts.
>
> --
> Dmitry Korolyov [d k@removethispart.mail.ru]
> MVP: Windows Server - Active Directory

Relevant Pages

  • Re: EFS files without recovery agent
    ... Someone before me has configured EFS policy in "Default Domain GPO". ... "EFS GPO" where I created Recovery agent with proper certificate. ...
    (microsoft.public.security)
  • Re: EFS files without recovery agent
    ... being managed by that GPO. ... actual settings differ you need to investigate if there is a problem with GP ... before to apply EFS settings and import the new RA certificate into it under ... Someone before me has configured EFS policy in "Default Domain GPO". ...
    (microsoft.public.security)
  • Re: Enabling EFS in only one OU
    ... You can disable it in a domain-wide policy, ... EFS, and link this GPO to the OU with your laptop accounts. ... Properties of Encrypting File System: ...
    (microsoft.public.windows.group_policy)
  • Re: Enable EFS --- GPO Problem
    ... Please visit the experts in the Group Policy newsgroup ... Windows - Shell/User ... | applied a GPO that is supposed to allow users to use EFS on the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS files without recovery agent
    ... Another thing you could try is to move the new GPO to the top ... Default Domain Policy, but I have not delete EFS policy itself. ... It looks like I cannot clear settings that was enabled or disabled ...
    (microsoft.public.security)