Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Encryption Policy for Active Directory Member Laptops

Posted on 2004-10-25
Medium Priority
Last Modified: 2013-12-04
I have been asked to look into an encryption policy for our Laptop users who are all using Windows XP. My IT Director believes that Windows XP encryption will probably do what we want. I have read the following Microsoft Documents:-


But I am a bit confused by it all. We are moving to Active Directory in the coming months so am happy to disregard settings for an NT4 Domain.

Which folders cannot be encrypted?
As a Domain Administrator how can I ensure that I can always access encrypted files?
How does encryption handle offline synchronised files, I don't mind if the files are not encrypted on the server?
How does encryption handle roaming profiles on the server, again I don't mind if the files are not encrypted on the server?
I would prefer to use Group Policy in Active Directory.

All I want to achieve is if the laptop is stolen that User Data cannot be accessed even if they reset the local administrator password.


Question by:GeeDoubleU-UK
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

Gargantubrain earned 1500 total points
ID: 12414816
By default, the Recovery Agent in the domain is the domain administrator. After you install active directory, and after the XP laptops are joined to the Active Directory domain, any files that are encrypted after that point will be readable by the person who encrypted them plus the Recovery Agent.

The Recovery Agent's key resides only on domain controllers. If you logged onto the laptop as administrator you would still not be able to read the files. You would have to backup the files with the built-in Windows Backup program, restore them on the domain controller, and then be able to un-encrypt the files as Administrator.

There are ways around this but exporting the RA's key from the domain controllers is not a wise security practice.

Think of EFS this way: Who's NTFS is it? If the encrypted file is on the hard drive on the laptop, then the laptop will be doing the encrypt/decrypt. If the encrypted file is on the network server, then the file server is encrypt/decrypting it, and it is sent over the network unencrypted. If the user copies the file (because copying always creates a new file and inherits the destination folder's attributes including encrypted/decrypted flag), or moves it to a floppy or ZIP or USB disk, or to any FAT32 or FAT16 partition or e-mails the file as an attachment, it is no longer encrypted (unless the destination folder is an encrypted folder on NTFS).

If the user logs in to the laptop with a local account, the recovery agent will not be able to decrypt the files. To protect against that possibility, you should export the key for each local user to a secure file in the event that the user accounts database is ever damaged (due to a virus, a re-install of the OS, etc).

Expert Comment

ID: 12414964
From your point of view, you tell the user that they have to always log in as their domain user account (which works with cached credentials even when they have no network connection). You set their profile directory to encrypted. Now their favorites, cookies, documents, etc are encrypted. You might want to exclude or redirect the internet temporary files folder from being encrypted, but maybe you prefer that all cached pages from the sites they browse also be encrypted. Be aware there is going to be a performance hit on encrypting and decrypting the files.

Now if they decide to log on as a local user and do their own thing, their local user accounts data folders could still be set to encrypted, but you may not be able to recover their files if a corruption of the user accounts database occurs. If they care about their data enough and you explain that only files saved as user domain\username are recoverable in the event of a problem, then they should comply.

If someone wants to badly enough, they can change the local administrator's password and log in as local administrator. They can put the drive in another 2000/XP machine. But they won't be able to read the encrypted files encrypted by the domain user's account.

Author Comment

ID: 12464674
Thats great, I understand this better now. I'm assumming that as long as you are in AD then the Domain Controller's are the RA so a Network Administrator can always recover encrypted details. Regarding the User Profile can this be encrypted when in AD using roaming profiles, my NT4 environment doesn't like it.

Expert Comment

ID: 12464775
The User Profile is essentially the same as the Documents and Settings\username directory, plus of course the user's registry (HKEY_Current_User).

If you want parts or all of that directory encrypted, you would just encrypt it the same as any other directory, using Windows Explorer or CIPHER.EXE

I would limit the amount of data you encrypt for performance reasons. The directories that contain most of your user's data are: My Documents, Cookies, Favorites, and the Application Data and Local Settings\Application Data directories. Outlook already has a way to encrypt the .PST file with a password, and due to the size of this file (or your .ost file in the case of Exchange server) it might cause a big impact on performance if you try to encrypt it with EFS.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question