Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
Article ID: 222022 - View products that this article applies to.
This article was previously published under Q222022
Microsoft Windows 2000 includes an encryption tool called Encrypting File System (EFS). Clients can use this tool to protect files by encrypting them. However, it is possible that in some environments, an administrator may want to prevent users from encrypting data on their workstations. An administrator can do so for domain clients by modifying a controlling group policy object (GPO) or locally with a local GPO.
Disabling EFS throughout a Windows 2000-based Domain to Modify the "Default Domain Policy" Group Policy Object
To use EFS, the presence of a data recovery policy is required. A data recovery policy configured as "empty" is not treated the same as one configured as "no policy". Setting up "no policy" (deleting policy) allows for the use of the default local policy on computers, in effect permitting local administrators to control the recovery of data on their individual computers. Setting up an "empty policy" turns EFS off, so that users are unable to encrypt files on computers that fall into this category. Because policies are cumulative, enforcing an empty policy at the domain level ensures that all Windows 2000 domain clients are denied EFS capabilities.
Error Applying Attributes
An error occurred applying attributes to the file:
There is no encryption recovery policy configured for this system.
Article ID: 222022 - Last Review: October 30, 2006 - Revision: 3.1