Steven
Mon Sep 18 16:21:07 CDT 2006
Hi Yuriy.
There is no undefined for the setting you talk about. I would think however
that if you put your new EFS GPO at the top of the list for the domain
container that what is configured in it would prevail for computer that are
being managed by that GPO [unless default domain GPO is enforced] . Keep in
mind that when you change a GP setting at the domain/OU level that it can
take up to two hours for the changes to propagate unless you run gpupdate
/force or reboot the domain computer. Another thing to try is to use RSOP in
planning mode on a Windows 2003 domain controller to see if it shows what
you expect for your policy settings for the computer. If the projected and
actual settings differ you need to investigate if there is a problem with GP
applying to the computer. You could just use your default domain gpo as
before to apply EFS settings and import the new RA certificate into it under
public key policies.
Steve
"Yuriy" <nepyyvoda@gmail.com> wrote in message
news:1158594181.694960.33080@h48g2000cwc.googlegroups.com...
> Hi Steven,
>
> Sorry if I wasn't so clear. The full story will sound like this.
> Someone before me has configured EFS policy in "Default Domain GPO".
> Recovery agent account was deleted at some stage so the policy becomes
> unusable and I decided to recreate it but as a separate GPO, let say
> "EFS GPO" where I created Recovery agent with proper certificate.
> That is a point where the problem started.
> You help me to sort out the problem where client computer was getting
> Default Domain GPO with no Recovery Agent. So I delete EFS "policy from
> Default Domain GPO". The problem here is that every time when I'm
> trying to clear tick box form
> "Allow users to encrypt files using Encrypted File System (EFS)" at
> "Encrypted File System" properties box, which is under "Public Key
> Policies".... on "Default Domain GPO", it is permanently disabling user
> ability to encrypt files even I specify opposite in "EFS GPO".
> I already try to change the priority of policies and set it "EFS GPO"
> to "Enforce", but nothing helps. It seems to me there is no option to
> set "Allow users to encrypt files using Encrypted File System (EFS)"
> option to default like "not defined" on "Default Domain GPO". In other
> words it will always shows in "Group Policy Management" console on
> "Settings" view either as "Enable" or "Disable" and not skip it on the
> list as other that were never defined.
>
> My question is: Is it possible to set it as "not defined" for
> "Default Domain GPO"?
>
> Thank you.
> Yuriy
>
>
>
> Steven L Umbach wrote:
>> Glad to hear you got one problem solved and thanks for reporting back
>> what
>> you found. However I don't quite understand the other problem. I believe
>> you
>> say that you want users to be able to use EFS on XP Pro computers[that
>> setting does not apply to Windows 2000 computers] but you want to clear
>> that setting?? Another thing you could try is to move the new GPO to the
>> top
>> of the list in the domain container and then reboot one of the XP Pro
>> computers to see if that helps or not or just leave it enabled in the
>> default domain GPO.
>>
>> Steve
>>
>>
>> "Yuriy" <nepyyvoda@gmail.com> wrote in message
>> news:1158318316.357221.57030@i42g2000cwa.googlegroups.com...
>> > Thank you Steven,
>> >
>> > That was a problem in my case! I have delete recovery agent from the
>> > Default Domain Policy, but I have not delete EFS policy itself.
>> > RSoP.msc shows only the policies that have been applied, and in fact it
>> > was 2, the new one with certificate and the old one without. Because I
>> > saw only one certificate I made a wrong assumption that only one policy
>> > has been applied.
>> > The tool that really helps me was gpmc.msc and its "Group Policy
>> > Result" section. It shows which policy won.
>> >
>> > Unfortunately one problem still exists.
>> > "Allow users to encrypt files using Encryption File System (EFS)" must
>> > be enabled in "Default Domain Policy". When I try to clear it and
>> > enable in new "EFS GPO" the client will not pickup this settings even
>> > after changing policy priority and enforcing it.
>> > It looks like I cannot clear settings that was enabled or disabled
>> > once, and "Default Domain Policy" will have the highest priority
>> > regardless of other settings. Is it true?
>> >
>> > Thank you,
>> > Yuriy
>> >
>> > Steven L Umbach wrote:
>> >> Also check that any Group Policy that could apply to the computer
>> >> other
>> >> than
>> >> the one you want to have for EFS shows "no encrypted file system
>> >> policies
>> >> defined". That is different than a defined policy that has no RA. A
>> >> defined
>> >> policy with no RA will cause EFS to fail on Windows 2000 computer that
>> >> have
>> >> that policy applied and for XP Pro computers to not have any RA. If
>> >> nothing
>> >> seems to work try creating a test OU with a new test GPO linked to it
>> >> with
>> >> the RA defined in that GPO. Move a couple computers into that OU and
>> >> then
>> >> reboot them to see if the RA applies to them or not. Also examine the
>> >> certificate that you are using for the RA to make sure it is a RA
>> >> certificate.
>> >>
>> >> Steve
>> >>
>> >>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/efs.mspx
>> >>
>> >>
>> >> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> >> news:efnCiO51GHA.4108@TK2MSFTNGP04.phx.gbl...
>> >> >I would double check any GPO that could apply to that computer as if
>> >> >I
>> >> >remember correctly rsop.msc does not show which GPO is applying RA.
>> >> >
>> >> > Steve
>> >> >
>> >> >
>> >> > "S0k1l" <nepyyvoda@gmail.com> wrote in message
>> >> > news:1158135892.176021.105220@b28g2000cwb.googlegroups.com...
>> >> >> Hi,
>> >> >>
>> >> >> First of all thank you for your respond, But unfortunately that is
>> >> >> not
>> >> >> an issue.
>> >> >> Group policy with EFS recovery agent settings is link to domain
>> >> >> (let
>> >> >> say company.com), and RSoP.msc shows that policy has been applied
>> >> >> to
>> >> >> computer (at least to all that I have checked), with the valid
>> >> >> recovery
>> >> >> agent certificate.
>> >> >> May be there is something else that I have not pay attention to?
>> >> >> All you ideas are appreciated.
>> >> >>
>> >> >> Yuriy
>> >> >>
>> >> >> Steven L Umbach wrote:
>> >> >>> Try running rsop.msc on one of the XP computers to see if it shows
>> >> >>> that
>> >> >>> setting has applied to the domain computer. Note that RA setting
>> >> >>> is
>> >> >>> computer
>> >> >>> configuration which means that the computer account must be within
>> >> >>> the
>> >> >>> scope
>> >> >>> of management for that GPO. In other words if you configured it in
>> >> >>> a
>> >> >>> GPO
>> >> >>> linked to a OU the computer account must exist in that OU or a
>> >> >>> child
>> >> >>> OU
>> >> >>> of
>> >> >>> that OU. If you believe it should apply to the computer then check
>> >> >>> the
>> >> >>> application log for errors/warnings for userenv and scecli that
>> >> >>> could
>> >> >>> indicate a problem with Group Policy application to the domain
>> >> >>> computer.
>> >> >>> Also keep in mind that it can take up to two hours for GP settings
>> >> >>> to
>> >> >>> propagate unless you reboot or run gpupdate on the domain
>> >> >>> computer.
>> >> >>>
>> >> >>> Steve
>> >> >>>
>> >> >>>
>> >> >>> <nepyyvoda@gmail.com> wrote in message
>> >> >>> news:1158072131.740190.251830@b28g2000cwb.googlegroups.com...
>> >> >>> > Hi,
>> >> >>> >
>> >> >>> > I'm experiencing strange problem with EFS on my domain, and
>> >> >>> > wonder
>> >> >>> > if
>> >> >>> > any one can help me understand what is happening.
>> >> >>> >
>> >> >>> > I have recently configured EFS group policy, created recovery
>> >> >>> > agent,
>> >> >>> > and apply it on domain level.
>> >> >>> > Now users are able to encrypt files, but there is no Recovery
>> >> >>> > agent
>> >> >>> > in
>> >> >>> > the list when I open Encryption details window.
>> >> >>> >
>> >> >>> > All domain controllers are Win2003 (Win 2000 native function
>> >> >>> > level)
>> >> >>> > and
>> >> >>> > workstations are WinXP.
>> >> >>> >
>> >> >>> > Can any one give me some ideas where it went wrong?
>> >> >>> >
>> >> >>> > Regards,
>> >> >>> > Yuriy.
>> >> >>> >
>> >> >>
>> >> >
>> >> >
>> >
>