and idealy have a CA, with the EFS template defined.
Is it possible to limit the scope of EFS? I want encrypt a single folder, not enable EFS domain-wide.
Need to support users over the internet? click here try our remote control online beta
Remote Support Software
Provide instant remote support to customers and employees:
Click here for a free trial
Provide instant remote support to customers and employees:
Click here for a free trial
EFS questions - service account and limit scope
I have a user who wants to pull photos from an encrypted folder as part of a oracle (hyperion) process. We have a 2003 domain with 2008 servers (except DC(s) of course). If I want to be able to encrypt a folder I need to create a couple recovery agents,
and idealy have a CA, with the EFS template defined.
Is it possible to limit the scope of EFS? I want encrypt a single folder, not enable EFS domain-wide.
Need to support users over the internet? click here try our remote control online beta
and idealy have a CA, with the EFS template defined.
Is it possible to limit the scope of EFS? I want encrypt a single folder, not enable EFS domain-wide.
Need to support users over the internet? click here try our remote control online beta
May 31st, 2012 11:48am
Hello,
EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide
and not possible for only one folder.
If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options.
More details about EFS see in
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
For EFS in detail please ask in
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest
regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
There is an amazing pack of free network admin tools. click here to download it
EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide
and not possible for only one folder.
If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options.
More details about EFS see in
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
For EFS in detail please ask in
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest
regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
There is an amazing pack of free network admin tools. click here to download it
June 1st, 2012 2:12am
Hello,
EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide
and not possible for only one folder.
If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options.
More details about EFS see in
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
For EFS in detail please ask in
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest
regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Need to support users over the internet? click here try our remote control online beta
EFS will be enabled on the folder or file, this is not a domain setting, it belongs to the machine where the folder is located. And if you enable the Recovery agent on domain level, which is always recommended if EFS is used, then this is domain-wide
and not possible for only one folder.
If that is a single user only and a singel machine you may think about together with the user to have only local EFS enabled and be sure to get the certificate as backup. But the domain option is the better way to be sure about recovery options.
More details about EFS see in
http://technet.microsoft.com/en-us/library/bb457116.aspx
http://technet.microsoft.com/en-us/library/cc875821.aspx
For EFS in detail please ask in
http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest
regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Need to support users over the internet? click here try our remote control online beta
June 1st, 2012 2:21am
My concern is once we put recovery agents in place anyone can encrypt a folder. Right now, because our recovery agent is expired, the encryption processes fails before it starts.
It feels like VSS. Once its working anyone with modify rights can utilitze it, as a service per se. I only need to encrypt specific folders not enable a domain-wide service.
Does that make sense?
Need to support users over the internet? click here try our remote control online beta
It feels like VSS. Once its working anyone with modify rights can utilitze it, as a service per se. I only need to encrypt specific folders not enable a domain-wide service.
Does that make sense?
Need to support users over the internet? click here try our remote control online beta
June 1st, 2012 8:11am
Hello,
ssems that you didn't configure the recovery agent correct, this should NOT be each user this is a dedicated account that is used from trusted persons with the required permissions.
Please use the mentioned security forum about the correct configuration for EFS.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
There is an amazing pack of free network admin tools. click here to download it
ssems that you didn't configure the recovery agent correct, this should NOT be each user this is a dedicated account that is used from trusted persons with the required permissions.
Please use the mentioned security forum about the correct configuration for EFS.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
There is an amazing pack of free network admin tools. click here to download it
June 2nd, 2012 9:06am
This topic is archived. No further replies will be accepted.
Other recent topics
