Microsoft Windows 2000 includes an encryption tool called Encrypting File System (EFS). Clients can use this tool to protect files by encrypting them. However, it is possible that in some environments, an administrator may want to prevent users from encrypting data on their workstations. An administrator can do so for domain clients by modifying a controlling group policy object (GPO) or locally with a local GPO.
Disabling EFS throughout a Windows 2000-based Domain to Modify the "Default Domain Policy" Group Policy Object
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- View the appropriate node for your domain, right click this node, and then click Properties.
- Click the Group Policy tab, click the Default Domain Policy GPO, and then click Edit. Note that you do not need to use the Default Domain Policy, you can use a new GPO such as Disable EFS to accomplish the same task.
- In the Group Policy Editor Snap-In, view the following node:
Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
NOTE: If any certificates exist in the right side pane, delete them.
- Right-click the Encrypted Data Recovery Agents node, click Delete Policy, and then click Yes.
- Right-click the Encrypted Data Recovery Agents node, and then click Initialize Empty Policy.
: Users on client workstations to which this policy is applied are no longer able to encrypt files or folders. Also, if users attempt to apply encryption attributes, they will receive the following error message:
Error Applying Attributes
An error occurred applying attributes to the file:
There is no encryption recovery policy configured for this system.
To use EFS, the presence of a data recovery policy is required. A data recovery policy configured as "empty" is not treated the same as one configured as "no policy". Setting up "no policy" (deleting policy) allows for the use of the default local policy on computers, in effect permitting local administrators to control the recovery of data on their individual computers. Setting up an "empty policy" turns EFS off, so that users are unable to encrypt files on computers that fall into this category. Because policies are cumulative, enforcing an empty policy at the domain level ensures that all Windows 2000 domain clients are denied EFS capabilities.