How to detect if any files on Domain joined computers are encrypted via EFS

Posted on 2008-11-06
Last Modified: 2010-04-21
I have been assigned to determine if any computers within my Enterprise AD Domain have any of their files encrypted via EFS. I have no idea how to begin to determine this.

I know via my Default Domain policy GPO that, EFS is enabled within the domain. I am also able to see from the same policy that there exists a certificate for the "File Recovery" purpose that is currently expired. From the little that I know about EFS, I believe that the fact that this cert. is expired means that no "new" encryption can take place but that any files that exist that were encrypted with this cert., while it was valid, can still be un-encrypted.

With all of that said, I need to find out if there is a way for me to tell if any of the computers that are joined to my domain have any of their files encrypted without having to physically go to all 12,000+ machines personally. I'm guessing that perhaps this could be accomplished via some sort of script that could be delivered as a startup script via a GPO but even if so, I've no clue of how to find or write such a script.

Basically, I'm pretty rough on my overall knowledge of EFS. I'll provide whatever other detail anyone may need. I think I just need a good start in the right direction.
Question by:otifrank
    LVL 33

    Expert Comment

    by:Dave Howe
    This is a common question - One MS answer is here:

    you can deliver such a script via GPO or more commonly, login scripts; the more awkward part is actually consolidating the information into a single report, rather than gathering it per-machine.

    Author Comment

    Wonderful answer. If I could beg just a bit more indulgence.

    I have a limited understanding of scripting in general but enough to understand what it is this script is doing. Where are the results of the scripts findings going? Could you offer any assistance as to how I would get the results?

    The overall goal is not so much to know the status of every single file on every single machine but rather to know which machines are currently encrypting any files via EFS. I don't know if this makes it any harder or easier.

    Thanks for the help so far.
    LVL 33

    Accepted Solution

     In that MS example, it looks up the properties of a single file (hardcoded in the sql-like syntax of wmi calls) in the collection of all files, then enumerates them.

      In practice, you would only want to check the "encrypted=true" files, so that can be in the wql. you will also probably want to limit the search to c: drive (or any searchable drive will be checked, including network share and mounted optical media)

      Here is a short (three line) test example which counts the number of encrypted files on the local C drive, and then pops a msgbox with that value:


    Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")

    Set sql_result = objWMIService.ExecQuery("SELECT name FROM CIM_Datafile where Drive='C:' AND Encrypted=True")

    msgbox cstr(sql_result.count)


      Obviously, you could write the cstr() to a file (locally or on a server), or use net send to send a message containing it to an alert host. a useful dos utility is "blat!" which allows you to send an email from scripts without having to first register a component; you could also register a component (thats easily enough done from vbs) and use that.

    adding a "for each file_element in sql_result" line, followed by some usage of, followed by "next" would let you write the filenames someplace, if you wanted a more detailed report.

    Author Closing Comment

    Thank You so much. This should get me started on my way. I think with some help from a coworker, we can get the script together and running.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now