EFS activation

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

hi all!

I have some laptop's and I want to activate EFS on all.
I can do this from Group Policy without physical access?

This laptops access network occasionally, when I need to install software or
....errors.
I create GP rules for security, software restriction policy ...and it's
successfully aplied.

I don't want to create an Certificates server, only domain administrator is
RA.


10x
Cezar

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

oh...sorry...I forget it....laptops are Xp with SP2...and servers w2k3 with
sp1, active directory, dhcp...all works fine
--
Multumesc
Cezar


"Cezar" wrote:

> hi all!
>
> I have some laptop's and I want to activate EFS on all.
> I can do this from Group Policy without physical access?
>
> This laptops access network occasionally, when I need to install software or
> ...errors.
> I create GP rules for security, software restriction policy ...and it's
> successfully aplied.
>
> I don't want to create an Certificates server, only domain administrator is
> RA.
>
>
> 10x
> Cezar

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

This should help you out plan your EFS deployment.

Encrypting File System in Windows XP and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

--
Mike
Microsoft MVP - Windows Security

"Cezar" <Cezar@discussions.microsoft.com> wrote in message
news6202894-BC82-4E9D-AF7A-EEE433880236@microsoft.com...
> hi all!
>
> I have some laptop's and I want to activate EFS on all.
> I can do this from Group Policy without physical access?
>
> This laptops access network occasionally, when I need to install software
> or
> ...errors.
> I create GP rules for security, software restriction policy ...and it's
> successfully aplied.
>
> I don't want to create an Certificates server, only domain administrator
> is
> RA.
>
>
> 10x
> Cezar

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

By default they should all ready be able to use EFS unless you restricted it
with Group Policy or a registry mod on those computers. XP Pro computer do
not require a RA. Be very careful with EFS and be sure to follow best
practices. If the users are already using it and have no RA then their
currently encrypted files will stay without a CA until they open them after
a point in time when new Group Policy is in effect that dictates the RA.
Also keep in mind as long as the users EFS private key is on their computer
their EFS is only as strong as their user password. The first link below
shows how EFS is disabled and enabled for EFS in XP Pro. I would also
encourage users to backup their EFS private key and to keep it separate from
their computer. --- Steve

http://www.petri.co.il/disable_efs_in_windows_xp_2003.htm
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices

"Cezar" <Cezar@discussions.microsoft.com> wrote in message
news6202894-BC82-4E9D-AF7A-EEE433880236@microsoft.com...
> hi all!
>
> I have some laptop's and I want to activate EFS on all.
> I can do this from Group Policy without physical access?
>
> This laptops access network occasionally, when I need to install software
> or
> ...errors.
> I create GP rules for security, software restriction policy ...and it's
> successfully aplied.
>
> I don't want to create an Certificates server, only domain administrator
> is
> RA.
>
>
> 10x
> Cezar

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

10x Miha, 10x Steven...

I understand the information from this links but...still I have some
problem...

How I enable folder encryption ( ex. \My documents) on all laptops without
access on them... from... Group Policy?
Maybe with scripts or use chiper utility?

--
Multumesc
Cezar


"Cezar" wrote:

> hi all!
>
> I have some laptop's and I want to activate EFS on all.
> I can do this from Group Policy without physical access?
>
> This laptops access network occasionally, when I need to install software or
> ...errors.
> I create GP rules for security, software restriction policy ...and it's
> successfully aplied.
>
> I don't want to create an Certificates server, only domain administrator is
> RA.
>
>
> 10x
> Cezar

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You could use cipher utility (in e.g. logon script).

--
Mike
Microsoft MVP - Windows Security

"Cezar" <Cezar@discussions.microsoft.com> wrote in message
news:13DC553D-FB7F-4B7C-B471-A80673AB93A2@microsoft.com...
> 10x Miha, 10x Steven...
>
> I understand the information from this links but...still I have some
> problem...
>
> How I enable folder encryption ( ex. \My documents) on all laptops without
> access on them... from... Group Policy?
> Maybe with scripts or use chiper utility?
>
> --
> Multumesc
> Cezar
>
>
> "Cezar" wrote:
>
>> hi all!
>>
>> I have some laptop's and I want to activate EFS on all.
>> I can do this from Group Policy without physical access?
>>
>> This laptops access network occasionally, when I need to install software
>> or
>> ...errors.
>> I create GP rules for security, software restriction policy ...and it's
>> successfully aplied.
>>
>> I don't want to create an Certificates server, only domain administrator
>> is
>> RA.
>>
>>
>> 10x
>> Cezar