I noticed several AD 2008R2 Users with basic EFS certificates and sometimes encrypted files (fore some users) appears on the shared folders on the network. I checked the permissions of the basic EFS template and there are the default with authenticated users with read only admin users with read/enroll. Why so many users have issued cbasic efs certificfates from my Internal Enterprise CA - Server Standard?? Temporarly i deleted the template, but how users could enroll withou permissions? I´m sure the most of the users never used the encryprtion screen properties of a file to check the encrypt checkbox. Most users are regular users

Hello, your question is not related to Directory Services. Please ask in Security forum: http://social.technet.microsoft.com/Forums/fr-FR/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator

Probably auto enroll is configured. http://technet.microsoft.com/en-us/library/cc731522.aspx http://technet.microsoft.com/en-us/magazine/2006.05.howitworks.aspx Paul Bergson MVP - Directory Services MCITP: Enterprise Administrator MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, Vista, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

1) Auto-enroll is NOT CONFIGURED in the default domain policy and among other GPOs applied to the domain, nothing was defnied. I think not configured probaly is disable... 2) The Basic EFS template does not have "autoenrool", only "enroll" security action and ONLY auth users have ONLY READ, not enroll. It looks like everithing is Ok, but i´ll try to reconfigure the NOT CONFIGURED to DISABLED to see if makes some differecnce

Hi, Please chek if those are certificate server generated certificates or self signed certificates. Without CA server also users can encrypt the data usign self signed certificates http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm

AreEnterprise CA certificates, i checked using the serial number and the Issued certificates screen. besices that, the certificates have a 1-2 years validity and the self-sighed would be a 99-100 years validity and that´s not hte casa. Today i found a user who encrypted some files (directly in the file server via share or copying files trhough the network.