[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How to detect if any files on Domain joined computers are encrypted via EFS

Posted on 2008-11-06
Medium Priority
Last Modified: 2010-04-21
I have been assigned to determine if any computers within my Enterprise AD Domain have any of their files encrypted via EFS. I have no idea how to begin to determine this.

I know via my Default Domain policy GPO that, EFS is enabled within the domain. I am also able to see from the same policy that there exists a certificate for the "File Recovery" purpose that is currently expired. From the little that I know about EFS, I believe that the fact that this cert. is expired means that no "new" encryption can take place but that any files that exist that were encrypted with this cert., while it was valid, can still be un-encrypted.

With all of that said, I need to find out if there is a way for me to tell if any of the computers that are joined to my domain have any of their files encrypted without having to physically go to all 12,000+ machines personally. I'm guessing that perhaps this could be accomplished via some sort of script that could be delivered as a startup script via a GPO but even if so, I've no clue of how to find or write such a script.

Basically, I'm pretty rough on my overall knowledge of EFS. I'll provide whatever other detail anyone may need. I think I just need a good start in the right direction.
Question by:otifrank
  • 2
  • 2
LVL 33

Expert Comment

by:Dave Howe
ID: 22902572
This is a common question - One MS answer is here:


you can deliver such a script via GPO or more commonly, login scripts; the more awkward part is actually consolidating the information into a single report, rather than gathering it per-machine.

Author Comment

ID: 22903781
Wonderful answer. If I could beg just a bit more indulgence.

I have a limited understanding of scripting in general but enough to understand what it is this script is doing. Where are the results of the scripts findings going? Could you offer any assistance as to how I would get the results?

The overall goal is not so much to know the status of every single file on every single machine but rather to know which machines are currently encrypting any files via EFS. I don't know if this makes it any harder or easier.

Thanks for the help so far.
LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 22904632
 In that MS example, it looks up the properties of a single file (hardcoded in the sql-like syntax of wmi calls) in the collection of all files, then enumerates them.

  In practice, you would only want to check the "encrypted=true" files, so that can be in the wql. you will also probably want to limit the search to c: drive (or any searchable drive will be checked, including network share and mounted optical media)

  Here is a short (three line) test example which counts the number of encrypted files on the local C drive, and then pops a msgbox with that value:


Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")

Set sql_result = objWMIService.ExecQuery("SELECT name FROM CIM_Datafile where Drive='C:' AND Encrypted=True")

msgbox cstr(sql_result.count)


  Obviously, you could write the cstr() to a file (locally or on a server), or use net send to send a message containing it to an alert host. a useful dos utility is "blat!" which allows you to send an email from scripts without having to first register a component; you could also register a component (thats easily enough done from vbs) and use that.

adding a "for each file_element in sql_result" line, followed by some usage of file_element.name, followed by "next" would let you write the filenames someplace, if you wanted a more detailed report.

Author Closing Comment

ID: 31513896
Thank You so much. This should get me started on my way. I think with some help from a coworker, we can get the script together and running.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question