How to detect if any files on Domain joined computers are encrypted via EFS

I have been assigned to determine if any computers within my Enterprise AD Domain have any of their files encrypted via EFS. I have no idea how to begin to determine this.

I know via my Default Domain policy GPO that, EFS is enabled within the domain. I am also able to see from the same policy that there exists a certificate for the "File Recovery" purpose that is currently expired. From the little that I know about EFS, I believe that the fact that this cert. is expired means that no "new" encryption can take place but that any files that exist that were encrypted with this cert., while it was valid, can still be un-encrypted.

With all of that said, I need to find out if there is a way for me to tell if any of the computers that are joined to my domain have any of their files encrypted without having to physically go to all 12,000+ machines personally. I'm guessing that perhaps this could be accomplished via some sort of script that could be delivered as a startup script via a GPO but even if so, I've no clue of how to find or write such a script.

Basically, I'm pretty rough on my overall knowledge of EFS. I'll provide whatever other detail anyone may need. I think I just need a good start in the right direction.
otifrankAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
This is a common question - One MS answer is here:

http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_ciaj.mspx?mfr=true

you can deliver such a script via GPO or more commonly, login scripts; the more awkward part is actually consolidating the information into a single report, rather than gathering it per-machine.
0
otifrankAuthor Commented:
Wonderful answer. If I could beg just a bit more indulgence.

I have a limited understanding of scripting in general but enough to understand what it is this script is doing. Where are the results of the scripts findings going? Could you offer any assistance as to how I would get the results?

The overall goal is not so much to know the status of every single file on every single machine but rather to know which machines are currently encrypting any files via EFS. I don't know if this makes it any harder or easier.

Thanks for the help so far.
0
Dave HoweSoftware and Hardware EngineerCommented:
 In that MS example, it looks up the properties of a single file (hardcoded in the sql-like syntax of wmi calls) in the collection of all files, then enumerates them.

  In practice, you would only want to check the "encrypted=true" files, so that can be in the wql. you will also probably want to limit the search to c: drive (or any searchable drive will be checked, including network share and mounted optical media)

  Here is a short (three line) test example which counts the number of encrypted files on the local C drive, and then pops a msgbox with that value:

-=-=-=-=-=-=-=-=-=-=-=-=-=-

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")

Set sql_result = objWMIService.ExecQuery("SELECT name FROM CIM_Datafile where Drive='C:' AND Encrypted=True")

msgbox cstr(sql_result.count)

-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Obviously, you could write the cstr() to a file (locally or on a server), or use net send to send a message containing it to an alert host. a useful dos utility is "blat!" which allows you to send an email from scripts without having to first register a component; you could also register a component (thats easily enough done from vbs) and use that.

adding a "for each file_element in sql_result" line, followed by some usage of file_element.name, followed by "next" would let you write the filenames someplace, if you wanted a more detailed report.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
otifrankAuthor Commented:
Thank You so much. This should get me started on my way. I think with some help from a coworker, we can get the script together and running.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.