You can control the EFS environment for your organization through Group Policy. Domain-level Group Policy settings can enforce a recovery policy, specify recovery agents for the domain, and restrict users in the domain from using EFS altogether.
To view or configure EFS settings in the domain, follow these steps:
1. Open Active Directory Users and Computers.
2. Right-click the appropriate domain and select Properties.
3. Click the Group Policy tab.
4. Select the appropriate policy object from the list and click Edit.
5. Expand Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System.
In this area of the Group Policy Editor, you will see a list of the active certificates for designated recovery agents.You can add to the list of recovery agents in two ways. First, you can select from a list of existing certificates in the directory and add the certificate to the list. To do this, right-click Encrypting File System and select Add Data Recovery Agent. This opens the Add Recovery Agent Wizard, which walks you through the steps of selecting an existing user with an EFS certificate in the directory to add to the list of recovery agents. Second, you can create a new certificate to add to the list. To do this, right-click Encrypting File System and select Create Data Recovery Agent. This creates a new EFS certificate for the logged-in user and makes that user a recovery agent in the domain. If you want to remove a recovery agent, right-click the recovery agent certificate and select Delete.
Windows Server 2003 differs from Windows 2000 Server in the way recovery agent certificates are handled. In a Windows 2000 server environment, removing all recovery agent certificates from a Group Policy Object (GPO) disables EFS for the container to which the GPO was applied. Not so in Windows Server 2003.
Removing all recovery agent certificates in a Windows Server 2003 environment simply means that files encrypted after the recovery agent certificates have been removed will not have a recovery agent that can decrypt them if the encrypting user's key is damaged or lost.
If you want to disable EFS altogether for the domain, right-click Encrypting File System and select Properties. In the Properties window, uncheck the Allow users to encrypt files using Encrypting File System check box. Making this change prevents users using any computer in that domain from using EFS on the local system. When implementing a new Active Directory structure, it is best to disable EFS for the directory until you have had a chance to plan and implement your EFS policy for the environment.You can add and create recovery agent certificates in a GPO before enabling EFS for the environment.
Was this article helpful?