Preventing Encryption in a W2K domain

I want to remove encryption abilities within my domain.
I understand I have to delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
I heard i need to set up an empty policy to ensure lower level  policies dont take precedence...does any one have more detail on this?

Also how do I change the CRL location?
mistajAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grayeCommented:
First, you'd better make sure that there aren't any existing EFS-encrypted files on your PCs/servers!

Second, are you trying to prevent encryption on a group of servers (or all PCs throughout the domain)?  If it's just on file shares on a group of servers, you can disable the "the computer is trusted for delegation" option in the Security Policies.

Yep, it's considered "best practice" to delete the Encrypted Data Recovery Agents node, and then recreate an empty one in it's place.  This essentially elminates the use of a local policy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sebo2000Commented:
If you
 delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
People will still be able to encrypt data on the local computers, to disable completly encryprion, in the domain, you have to edit domain policy and just remove Recovery agent ( default admin group) from the plicy, after they will log off and log back in they will not be able to encrypt files and folders even with local certifiacates..
Regards
sebo
0
VKatalovCommented:

There is an answer in Microsoft Knowledbe Base:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;222022

Regards,
  Vladimir
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.