Solved

Preventing Encryption in a W2K domain

Posted on 2003-11-27
5
183 Views
Last Modified: 2013-12-04
I want to remove encryption abilities within my domain.
I understand I have to delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
I heard i need to set up an empty policy to ensure lower level  policies dont take precedence...does any one have more detail on this?

Also how do I change the CRL location?
0
Comment
Question by:mistaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 41

Accepted Solution

by:
graye earned 68 total points
ID: 9832979
First, you'd better make sure that there aren't any existing EFS-encrypted files on your PCs/servers!

Second, are you trying to prevent encryption on a group of servers (or all PCs throughout the domain)?  If it's just on file shares on a group of servers, you can disable the "the computer is trusted for delegation" option in the Security Policies.

Yep, it's considered "best practice" to delete the Encrypted Data Recovery Agents node, and then recreate an empty one in it's place.  This essentially elminates the use of a local policy.
0
 
LVL 6

Assisted Solution

by:Sebo2000
Sebo2000 earned 66 total points
ID: 9833351
If you
 delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
People will still be able to encrypt data on the local computers, to disable completly encryprion, in the domain, you have to edit domain policy and just remove Recovery agent ( default admin group) from the plicy, after they will log off and log back in they will not be able to encrypt files and folders even with local certifiacates..
Regards
sebo
0
 

Assisted Solution

by:VKatalov
VKatalov earned 66 total points
ID: 9956295

There is an answer in Microsoft Knowledbe Base:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;222022

Regards,
  Vladimir
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question