Tired of fighting with Group Policy and Offline File Encryption
- From: "Nivek R." <obi_wan_1111@xxxxxxxxx>
- Date: Thu, 22 Jun 2006 13:13:02 -0600
I'm trying to ensure that the Offline Files (client-side cache), on my
client computers are encrypted. I tried applying the Group Policy:
Computer Config \ Admin Templates \ Network \ Offline Files \ Encrypt the
Offline Files Cache = Enabled, but that only served to grey out the "Encrypt
offline files to secure data" box in the "Folder Options" ==> "Offline
Files" Tab, but did not force a check mark into that box. Essentially, it
took away the user's ability to encrypt the files, but it didn't actually
encrypt them. The same issue was discussed, but not satisfactorily answered
by the MS Tech at
http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2006-04/msg00511.html.
This also led me to look into the hotfix suggested at MS KB810859
(http://support.microsoft.com/default.aspx?scid=kb;en-us;810859), but I
wasn't getting the error that the hotfix applied to in my event logs, also,
my test user is an admin on both machines, so I didn't think the hotfix
should apply. The document was also vague about where the hotfix should be
applied (client or dc?), and it looked as though my settings in the
system.adm file in both locations was correct. I also read various Technet
articles about EFS, and none seemed to have the answer I was looking for.
In an effort to get to the root of the problem, I've deployed a test lab
with two clients using CSC. On these PCs, I've enabled offline files. I've
checked the "Encrypt..." box on one, but not the other. When I apply the
GP, the encrypt box stays checked or unchecked based upon how it was before
applying the GP. However, when I checked the box on the one computer, the
"encrypting" progress bar never appeared. When I browse to either
computer's CSC directory from my admin computer over the network, no files
appear in green (as they should when encrypted - all systems are running XP
SP2). I tried first re-initializing the cache (CTRL + SHIFT + click
"Delete"), but that didn't help, so I disabled offline files on both
machines, deleted the "EncryptCache" registry value under the following
keys:
HKLM \ Software \ MS \ Windows \ Current Ver \ NetCache (I think this one
has precedence)
HKLM \ Software \ Policies \ Microsoft \ NetCache (Don't even know what this
is for)
I then deleted all items out of the CSC folder on both machines and
rebooted. Re-enabled offline files and encryption, but again, the
"encrypting" progress bar never appeared. So I can't even get the files to
encrypt correctly, let alone get the GPO to apply its encryption policy
correctly. I'm trying to avoid going door-to-door to encrypt files on every
client PC, and trying to make it so users can't decrypt files that have
already been encrypted. Microsoft's documentation has really done nothing
for me here, except maybe run me around in circles. I could run insert a
..reg file in a logon.bat, however I really don't want to give my users
registry access, and I'm not confident that would even work, since nothing
else seems to be actually encrypting the files.
Any help here would be GREATLY APPRECIATED. Thank you.
Pertinent info:
Both PCs are identical - XP SP2 Toshiba laptops, 256MB RAM, GPs are now set
to do nothing except allow the use of EFS - so nothing in GPs should be
interfering with the encryption of files. Other GPs from the same test GPO
were applying correctly when they were enabled. Nothing's compressed (which
would prevent encryption from occurring). Files are on NTFS partitions.
The test users that are trying to encrypt the files are local admins, also,
I've tried applying settings using a Domain Admin as well.
Other pertinent docs I've read through and tried to apply practices from:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/csc_encrypt.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c18621675.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/b505401c-5ec8-4f0f-b82b-ea24b28bfbad1033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/7161080d-270c-4a1c-8ce1-8d45dd6d7b591033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true
http://thesource.ofallevil.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://www.microsoft.com/technet/archive/community/columns/tips/inttips.mspx?mfr=true
.
- Follow-Ups:
- RE: Tired of fighting with Group Policy and Offline File Encryption
- From: Engineer_Dell
- RE: Tired of fighting with Group Policy and Offline File Encryption
- From: Engineer_Dell
- RE: Tired of fighting with Group Policy and Offline File Encryption
- Prev by Date: Re: Office 2K3 adms
- Next by Date: Re: Question about redirecting my documents
- Previous by thread: mouse pointers
- Next by thread: RE: Tired of fighting with Group Policy and Offline File Encryption
- Index(es):
Relevant Pages
|
Loading
