Disabling EFS for a Specific Set of Computers

A particular computer must have at least one valid recovery agent certificate to enable EFS. EFS does not allow encryption of data if no recovery agent certificate is specified by recovery agent policy. Therefore, you can disable EFS by setting either no recovery policy (where the policy is removed from the computer) or an empty recovery policy (where the policy remains, but the recovery agent certificates are deleted). These are applied as follows:

• Both no policy and empty policy disable EFS on a stand-alone computer.

• Both no policy and empty policy are ineffective in disabling EFS on the local computer in a domain if there is a policy at a higher level, such as a domain or organizational unit.

• Applying no policy at a higher level disables EFS at that level only. The lower-level computers use their own local policies.

• Applying empty policy at a higher level disables EFS at that level and all lower levels.

To set no recovery policy

1. On a stand-alone computer, open the MMC and add the Group Policy snap-in for the local computer.

2. In the Group Policy console, right-click Encrypted Data Recovery Agents, and then click Delete Policy.

3. Answer Yes when the system prompts you with the question Are you sure...? The details pane of the window displays the message "There is no policy defined."

If a domain administrator wants to disable EFS for all the computers in a domain or an organizational unit, the best way is to set an empty recovery policy. This is because the effective policy is an accumulation of Group Policy objects that are defined at various levels in the directory tree. The absence of a recovery policy at the domain or organizational unit level allows policies at a lower level to take effect. However, an empty recovery policy at these higher levels disables EFS by providing no effective recovery certificates and blocking the individual computers from using lower-level policies.

To set an empty policy at the domain or organizational unit level

1. Log on as Administrator of the initial domain controller created in the domain and display the certificate listings in the details pane of the window.

2. Right-click Administrator and any other certificate that might be listed in the details pane, and then click Delete .

3. Answer Yes to the question Permanently delete the selected certificate?

To re-enable EFS on the local computer

1. Restore recovery policy by right-clicking Encrypted Data Recovery Agents and then clicking Initialize Empty Policy .

2. After you have an empty policy, to re-enable EFS, you must add a policy by right-clicking Encrypted Data Recovery Agents and clicking Add . This starts the Add Recovery Agent wizard. The Add Recovery Agent wizard accepts a recovery agent certificate file only if it has a .cer extension.

To re-enable EFS on the domain or organizational unit

• Add one or more valid recovery agent certificates to EFS recovery policy by following the procedure in "Designate Assigning Recovery Agent Accounts" earlier in this chapter.