Question

Locked

How to tell which domain users are using EFS?

By CharlieSpencer ·
We're moving our Active Directory domain object from our division's forest to the corporate forest. The Active Directory Migration Tool is emphatic: files encrypted with EFS must be decrypted before moving the owner's user account to the new domain. Otherwise the user account in the new domain / forest will be unable to open files encrypted by the old user account.

Does anyone know a way to determine which domain users are using EFS, either to encrypt locally stored files or files on a network resource?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Disable it for the domain and listen for the screams?

by robo_dev In reply to How to tell which domain ...

http://support.microsoft.com/kb/222022
http://www.petri.co.il/disable_efs_in_windows_xp_2003.htm

I know that it's possible to disable EFS for the domain via group policy (see above). But I am not sure what that does to any EFS encrypted files or folders.

I would guess that if you tried to push the policy, it would disable EFS and therefore unencrypt the EFS data. On the other hand, this would be a HUGE security vulnerability for any EFS encrypted data, if you can just hit it with policy and it opens up.

Since EFS is enabled by default, perhaps you could find who is doing it by searching for the EFS certificate on the local PC or finding this in the local PC registry? I am pretty sure the PC has no EFS certificate if the user is not using EFS.

the manual way to do this is to run certmgr.msc and look for personal certs,
http://windows.microsoft.com/en-US/windows-vista/Back-up-Encrypting-File-System-EFS-certificate

Collapse -

Reponse To Answer

by CharlieSpencer In reply to Disable it for the domain ...

Yeah, we're toying with that method. I favor preceding it with an 'Are you using encryption?' e-mail. Others think that will just bring EFS to the attention of the majority who aren't aware of or using it, and then they'll all want to.

Collapse -

Reponse To Answer

by CharlieSpencer In reply to Disable it for the domain ...

A quick test with a local policy shows that if you disable EFS, the owner CANNOT open the file. I wouldn't have to listen to the screams for long; you can't hear them from the unemployment line. Fortunately, re-enabling it lets the user back into the file. Again, this test was done on one machine with my toggling the LOCAL policy; I strongly discourage others from trying this on a DOMAIN GROUP policy.

Collapse -

How about just run a script to collect EFS certificates?

by robo_dev In reply to How to tell which domain ...

No cert = no EFS

If you send an email, I would mention that EFS causes more problems then it solves, and since it has some well-known security vulnerabilities, you want to make sure that people are not relying on it for mission-critical data.

Collapse -

Reponse To Answer

by CharlieSpencer In reply to How about just run a scri ...

I suggested that, but a co-worker maintained that an EFS certificate exists by default in XP. I've never looked into EFS, but I'll dig some and see if he's wrong.

Thanks.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Forums