General discussion


DOWNLOA Disable EFS on Windows 2000 and Windows XP Pro clients

By Bill Detwiler Editor ·
Microsoft's Encrypting File System (EFS) is designed to be easy to use, even transparent to the end user. Unfortunately, this ease of use also makes it possible for users to encrypt files and folders they shouldn't.

This two-page Task Sheet tells you how to disable EFS on Windows 2000 and Windows XP Pro using Group Policy or by hacking the registry.

Files stored on laptops are often a good candidate for EFS protection. Does your organization use EFS and have you experienced any problems?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

I had some really bad luck with EFS

by scott In reply to DOWNLOAD: Disable EFS on ...

The first problem with EFS came when I was hired to review some CAD drawings for a part number inventory. I ran out of time during the day so decided to experiment setting up an Offline Folder so I could review the drawings at home. My win2000ProSP1 machine went through the process of copying the network folder locally. Then before I left, I decided that I had better encrypt the folder on my hard drive in case my laptop was stolen. My machine finished encrypting the folder on my hard drive, then I went home. I got a panicked call about 8:30 the next morning. Apparently no one in the office could read any of the files that I had copied to my hard drive; they were all encrypted on the server!
I rushed into their office, and the very first thing I did before connecting to the network was to copy all the files in my local offline folder to my local Win32 partition to remove the encryption. ALWAYS BACKUP AT THE FIRST POINT OF FAILURE! Good thing, because when I reconnected to the network and tried to remove the encryption from the files, all I got was permission errors. My computer did what looked like some synching, and then even I couldn't read either my own offline folder or the network folder's files!
I recovered from the situation only by deleting my offline folder, and then copying the files on my win32 partition back to the server. If I had not have removed the encryption before I reconnected to the network, then all would have been lost. Some very major Windows bug here, I think!
I lost some files another time when I enabled some UDMA66 service on my UDMA33 computer and my hard drive went flaky. I reinstalled the OS to recover and lost the ability to access all the encrypted files because I didn't back up the unencryption key first.
I have never used EFS again!

Collapse -

Logging in as the user in question

by jsorensen In reply to DOWNLOAD: Disable EFS on ...

EFS isn't the most secure solution. Say an employee quit and has encrypted file on their computer. An administrator can simply reset his/her password and login with their credentials to decrypt the files.

If a really wanted better security, you should use something like PGP.

Collapse -

It's too good for me..

by stepmonster In reply to Logging in as the user in ...

I have encrypted files that I cannot access. I cannot change the e attribute. I cannot rename or send or copy these files. Nothing. I'm on an xp pro with sp1 on a domain. The group policy states I cannot change my password back to an old password for 24 instances, nor can I change my password more than once every 48 hours. So therefore, I cannot get to my files for 48 days. The group policy is set in stone, as is the domain. Also the sp1 cannot be changed to sp2. I attempted a boot to win2k cd and can get to the files, but cannot remove the e attribute nor copy the files to a: or anything. Any ideas?

Collapse -


by Balbir In reply to It's too good for me..

Make sure some one else is oppointed as a Data Recovery Agent in the company.

Related Discussions

Related Forums