How to detect if any files on Domain joined computers are encrypted via EFS
Posted on 2008-11-06
I have been assigned to determine if any computers within my Enterprise AD Domain have any of their files encrypted via EFS. I have no idea how to begin to determine this.
I know via my Default Domain policy GPO that, EFS is enabled within the domain. I am also able to see from the same policy that there exists a certificate for the "File Recovery" purpose that is currently expired. From the little that I know about EFS, I believe that the fact that this cert. is expired means that no "new" encryption can take place but that any files that exist that were encrypted with this cert., while it was valid, can still be un-encrypted.
With all of that said, I need to find out if there is a way for me to tell if any of the computers that are joined to my domain have any of their files encrypted without having to physically go to all 12,000+ machines personally. I'm guessing that perhaps this could be accomplished via some sort of script that could be delivered as a startup script via a GPO but even if so, I've no clue of how to find or write such a script.
Basically, I'm pretty rough on my overall knowledge of EFS. I'll provide whatever other detail anyone may need. I think I just need a good start in the right direction.