Solved

Preventing Encryption in a W2K domain

Posted on 2003-11-27
5
182 Views
Last Modified: 2013-12-04
I want to remove encryption abilities within my domain.
I understand I have to delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
I heard i need to set up an empty policy to ensure lower level  policies dont take precedence...does any one have more detail on this?

Also how do I change the CRL location?
0
Comment
Question by:mistaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 41

Accepted Solution

by:
graye earned 68 total points
ID: 9832979
First, you'd better make sure that there aren't any existing EFS-encrypted files on your PCs/servers!

Second, are you trying to prevent encryption on a group of servers (or all PCs throughout the domain)?  If it's just on file shares on a group of servers, you can disable the "the computer is trusted for delegation" option in the Security Policies.

Yep, it's considered "best practice" to delete the Encrypted Data Recovery Agents node, and then recreate an empty one in it's place.  This essentially elminates the use of a local policy.
0
 
LVL 6

Assisted Solution

by:Sebo2000
Sebo2000 earned 66 total points
ID: 9833351
If you
 delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
People will still be able to encrypt data on the local computers, to disable completly encryprion, in the domain, you have to edit domain policy and just remove Recovery agent ( default admin group) from the plicy, after they will log off and log back in they will not be able to encrypt files and folders even with local certifiacates..
Regards
sebo
0
 

Assisted Solution

by:VKatalov
VKatalov earned 66 total points
ID: 9956295

There is an answer in Microsoft Knowledbe Base:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;222022

Regards,
  Vladimir
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question