Configure Group Policy to Support EFS

In this exercise, you will configure Group Policy settings relating to EFS.

Instructions

Ensure the 2823_DC1 and 2823_Client1 virtual machines are started.

Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is [email protected] and his password is [email protected] Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon service. When performing administrative tasks, use the username [email protected] and the password [email protected]

Scenario

Only users in the HR department are permitted to encrypt files by using EFS. These files can be decrypted by only the user who encrypted the file, or by a special user designated as the data recovery agent.. You will create a new Group Policy object that contains a data recovery agent. You will restrict employees who are not in the HR department from using EFS. Computer objects for employees in the HR department are located in the HR organizational unit. Employees in the HR department use Windows XP Professional client computers. Other employees use Windows XP Professional or Windows 2000 Professional client computers. You will configure Group Policy to prevent computers that are not in the HR organizational unit from using EFS. You will then log on as various users and verify that only HR users are permitted to encrypt files.

Tasks

Detailed steps

1. Create a Group Policy object and link it to the HR organizational unit. Configure the policy to allow users to autoenroll for EFS certificates.

a. Open Group Policy Management Console.

b. Using a method of your choosing, create a new Group Policy object named HR EFS Policy and link it to the HR organizational unit.

c. Configure the HR EFS Policy Group Policy object to allow autoenrollment for user certificates. Ensure that users renew expired certificates, update pending certificates, remove revoked certificates, and update certificates that are based on certificate templates. These settings can be found under the User Configuration/Windows Settings/ Security Settings/Public Key Policies node.

2. Configure the HR EFS Policy Group Policy object to issue a data recovery agent.

■ Using a method of your choosing, add a new EFS Recovery Agent to the HR EFS Policy. Use the certificate stored in the HRRecovery user object.

3. Move the Client1 computer account to the HR OU.

a. Open Active Directory Users and Computers.

b. Using a method of your choosing, move the CLIENT1 computer object and the MEMBER1 computer object from the Computers container to the HR organizational unit.

c. Close all administrative tools and restart the 2823 Clientl guest operating system.

(continued)

Tasks

Detailed steps

4. Log on as a user in HR and verify that you can encrypt files.

a. Log on to the 2823 Clientl virtual machine using the username [email protected] and the password [email protected]

b. Wait 2 minutes to allow certificate autoenrollment to occur.

c. Create a new file in the My Documents folder.

d. Encrypt the new file.

e. Close all programs and log off.

5. Create a new Group Policy object and link it to the Sales OU. Configure the policy to prevent Sales users' computers from using EFS.

a. Using Group Policy Management Console, create a new Group Policy object named Sales EFS Restriction. Link the Group Policy object to the Sales OU.

b. Configure the Sales EFS Restriction policy to prevent users of Windows XP Professional or Windows 2000 Professional client computers from using the EFS.

c. Close all administrative tools.

6. Log on as a user in the sales department and verify that you are unable to use EFS.

a. Using Active Directory Users and Computers, move the Clientl computer account to the Sales OU.

b. Restart the 2823 Clientl guest operating system.

c. Log on to the 2823 Clientl virtual machine as [email protected].

d. Create a new file in the My Documents folder.

e. Encrypt the new file. The file should not be able to be encrypted.

f. Open Active Directory Users and Computers.

g. Move the Clientl computer account to the HR OU.

h. Restart the 2823 Clientl guest operating system.

Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Post a comment