none
How do I get EFS working on a domain joined computer? RRS feed

  • Question

  • How do I get EFS working on a domain joined computer?

    This question pertains primarily to XP and 2000/2003 although we also would like it to work under Vista. (Posted here because no non-vista forums seem to be listed anymore, and searches did not turn up any non-vista forums either. The only forums listed seem to be for Office Beta, Longhorn, Exchange, or SQL Server. If anyone knows how to access XP or general system admin forums I would be happy to repost there.)

    Any attempts to encrypt a file results in an error message: "Recovery policy configured for this system contains invalid recovery certificate.". (Some other computers did work for a while but then stopped when a default certificate expired. We fixed these by deleting their certifcates and setting the EFS policy to 'do not require certificate'.)

    Is there a simple policy change that can be made to make all PCs not require a recovery certifcate, or to supply them all with a certificate. (If there is please can you tell me!)

    The encryption is only to protect data on the local PC and prevent it being taken off the local PC by another user. No recovery by an alternate user or on an alternate PC is planned so I don't think a recovery certificate is required.

    Setting the local security policy for Encrypted File System to 'Do not require recovery certificate' does not seem to have any effect on the PC in question, although it did seem to work on my PC which is on another domain (currently however it says there is no policy defined on my PC but encryption still works!).

    I have the certifcate console MMC add-in set-up and I do seem to be able to create EFS certificates but this is not prefered as a lot of users and PCs need to be setup. Also I cannot find anyway to apply a certificate to the EFS, but I'm hoping I won't need to anyway.

    Any help would be gratefully received,

    Matt.

     

    Friday, February 9, 2007 12:02 PM

Answers

  • Forgive me for talking to myself but I have found a solution and am posting it here in case anyone else has the same problem.

    The solution is pretty much as I outlined above, except that in this case a group policy was overriding local policy, so changing the local policy had no effect even though the changes seem to have stuck (limited security access and the fact that the servers are thousands of miles away on another continent so I had no direct access at the time, made this harder to spot).

    Further investigation showed that the group policy had an expired certificate under the Public Key Policy or Encrypting File System keys. The solution is to delete the expired certificate.

     

    Friday, February 9, 2007 4:05 PM

All replies

  • Forgive me for talking to myself but I have found a solution and am posting it here in case anyone else has the same problem.

    The solution is pretty much as I outlined above, except that in this case a group policy was overriding local policy, so changing the local policy had no effect even though the changes seem to have stuck (limited security access and the fact that the servers are thousands of miles away on another continent so I had no direct access at the time, made this harder to spot).

    Further investigation showed that the group policy had an expired certificate under the Public Key Policy or Encrypting File System keys. The solution is to delete the expired certificate.

     

    Friday, February 9, 2007 4:05 PM
  • Hi Matt, how did you find this expired certificate? I can see it under rsop.msc but not under gpedit.msc? I'm having the same problem.

    Thursday, May 24, 2012 6:59 AM