HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain

This article was previously published under Q222022
This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft Windows 2000 includes an encryption tool called Encrypting File System (EFS). Clients can use this tool to protect files by encrypting them. However, it is possible that in some environments, an administrator may want to prevent users from encrypting data on their workstations. An administrator can do so for domain clients by modifying a controlling group policy object (GPO) or locally with a local GPO.

back to the top

Disabling EFS throughout a Windows 2000-based Domain to Modify the "Default Domain Policy" Group Policy Object

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. View the appropriate node for your domain, right click this node, and then click Properties.
  3. Click the Group Policy tab, click the Default Domain Policy GPO, and then click Edit. Note that you do not need to use the Default Domain Policy, you can use a new GPO such as Disable EFS to accomplish the same task.
  4. In the Group Policy Editor Snap-In, view the following node:
    Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
    NOTE: If any certificates exist in the right side pane, delete them.
  5. Right-click the Encrypted Data Recovery Agents node, click Delete Policy, and then click Yes.
  6. Right-click the Encrypted Data Recovery Agents node, and then click Initialize Empty Policy.
NOTE: Users on client workstations to which this policy is applied are no longer able to encrypt files or folders. Also, if users attempt to apply encryption attributes, they will receive the following error message:
Error Applying Attributes
An error occurred applying attributes to the file:

file name

There is no encryption recovery policy configured for this system.
To use EFS, the presence of a data recovery policy is required. A data recovery policy configured as "empty" is not treated the same as one configured as "no policy". Setting up "no policy" (deleting policy) allows for the use of the default local policy on computers, in effect permitting local administrators to control the recovery of data on their individual computers. Setting up an "empty policy" turns EFS off, so that users are unable to encrypt files on computers that fall into this category. Because policies are cumulative, enforcing an empty policy at the domain level ensures that all Windows 2000 domain clients are denied EFS capabilities.

back to the top

Article ID: 222022 - Last Review: 12/05/2015 13:21:49 - Revision: 3.1

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows 2000 Datacenter Server

  • kbnosurvey kbarchive kbhowto kbhowtomaster kbnetwork KB222022