Solved

Preventing Encryption in a W2K domain

Posted on 2003-11-27
5
179 Views
Last Modified: 2013-12-04
I want to remove encryption abilities within my domain.
I understand I have to delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
I heard i need to set up an empty policy to ensure lower level  policies dont take precedence...does any one have more detail on this?

Also how do I change the CRL location?
0
Comment
Question by:mistaj
5 Comments
 
LVL 41

Accepted Solution

by:
graye earned 68 total points
ID: 9832979
First, you'd better make sure that there aren't any existing EFS-encrypted files on your PCs/servers!

Second, are you trying to prevent encryption on a group of servers (or all PCs throughout the domain)?  If it's just on file shares on a group of servers, you can disable the "the computer is trusted for delegation" option in the Security Policies.

Yep, it's considered "best practice" to delete the Encrypted Data Recovery Agents node, and then recreate an empty one in it's place.  This essentially elminates the use of a local policy.
0
 
LVL 6

Assisted Solution

by:Sebo2000
Sebo2000 earned 66 total points
ID: 9833351
If you
 delete the default recovery agent certificate on the Domain Controller.
Are there any other steps I need to take.
People will still be able to encrypt data on the local computers, to disable completly encryprion, in the domain, you have to edit domain policy and just remove Recovery agent ( default admin group) from the plicy, after they will log off and log back in they will not be able to encrypt files and folders even with local certifiacates..
Regards
sebo
0
 

Assisted Solution

by:VKatalov
VKatalov earned 66 total points
ID: 9956295

There is an answer in Microsoft Knowledbe Base:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;222022

Regards,
  Vladimir
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question