Encryption Policy for Active Directory Member Laptops

Posted on 2004-10-25
Last Modified: 2013-12-04
I have been asked to look into an encryption policy for our Laptop users who are all using Windows XP. My IT Director believes that Windows XP encryption will probably do what we want. I have read the following Microsoft Documents:-;en-us;Q223316

But I am a bit confused by it all. We are moving to Active Directory in the coming months so am happy to disregard settings for an NT4 Domain.

Which folders cannot be encrypted?
As a Domain Administrator how can I ensure that I can always access encrypted files?
How does encryption handle offline synchronised files, I don't mind if the files are not encrypted on the server?
How does encryption handle roaming profiles on the server, again I don't mind if the files are not encrypted on the server?
I would prefer to use Group Policy in Active Directory.

All I want to achieve is if the laptop is stolen that User Data cannot be accessed even if they reset the local administrator password.


Question by:GeeDoubleU-UK
    LVL 3

    Accepted Solution

    By default, the Recovery Agent in the domain is the domain administrator. After you install active directory, and after the XP laptops are joined to the Active Directory domain, any files that are encrypted after that point will be readable by the person who encrypted them plus the Recovery Agent.

    The Recovery Agent's key resides only on domain controllers. If you logged onto the laptop as administrator you would still not be able to read the files. You would have to backup the files with the built-in Windows Backup program, restore them on the domain controller, and then be able to un-encrypt the files as Administrator.

    There are ways around this but exporting the RA's key from the domain controllers is not a wise security practice.

    Think of EFS this way: Who's NTFS is it? If the encrypted file is on the hard drive on the laptop, then the laptop will be doing the encrypt/decrypt. If the encrypted file is on the network server, then the file server is encrypt/decrypting it, and it is sent over the network unencrypted. If the user copies the file (because copying always creates a new file and inherits the destination folder's attributes including encrypted/decrypted flag), or moves it to a floppy or ZIP or USB disk, or to any FAT32 or FAT16 partition or e-mails the file as an attachment, it is no longer encrypted (unless the destination folder is an encrypted folder on NTFS).

    If the user logs in to the laptop with a local account, the recovery agent will not be able to decrypt the files. To protect against that possibility, you should export the key for each local user to a secure file in the event that the user accounts database is ever damaged (due to a virus, a re-install of the OS, etc).
    LVL 3

    Expert Comment

    From your point of view, you tell the user that they have to always log in as their domain user account (which works with cached credentials even when they have no network connection). You set their profile directory to encrypted. Now their favorites, cookies, documents, etc are encrypted. You might want to exclude or redirect the internet temporary files folder from being encrypted, but maybe you prefer that all cached pages from the sites they browse also be encrypted. Be aware there is going to be a performance hit on encrypting and decrypting the files.

    Now if they decide to log on as a local user and do their own thing, their local user accounts data folders could still be set to encrypted, but you may not be able to recover their files if a corruption of the user accounts database occurs. If they care about their data enough and you explain that only files saved as user domain\username are recoverable in the event of a problem, then they should comply.

    If someone wants to badly enough, they can change the local administrator's password and log in as local administrator. They can put the drive in another 2000/XP machine. But they won't be able to read the encrypted files encrypted by the domain user's account.

    Author Comment

    Thats great, I understand this better now. I'm assumming that as long as you are in AD then the Domain Controller's are the RA so a Network Administrator can always recover encrypted details. Regarding the User Profile can this be encrypted when in AD using roaming profiles, my NT4 environment doesn't like it.
    LVL 3

    Expert Comment

    The User Profile is essentially the same as the Documents and Settings\username directory, plus of course the user's registry (HKEY_Current_User).

    If you want parts or all of that directory encrypted, you would just encrypt it the same as any other directory, using Windows Explorer or CIPHER.EXE

    I would limit the amount of data you encrypt for performance reasons. The directories that contain most of your user's data are: My Documents, Cookies, Favorites, and the Application Data and Local Settings\Application Data directories. Outlook already has a way to encrypt the .PST file with a password, and due to the size of this file (or your .ost file in the case of Exchange server) it might cause a big impact on performance if you try to encrypt it with EFS.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 ( But the ability to create custom scanning profiles al…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now