JSI Tip 2648. How do I disable EFS on a stand-alone Windows 2000 computer?

Jerold Schulman

July 26, 2000

1 Min Read
ITPro Today logo in a gray background | ITPro Today

If you wish to disable EFS on a computer that is not a member of a Windows 2000 domain:

01. Log on using the built-in Administrator account.

02. Start / Run / secpol.msc / OK.

03. Press the plus sign (+) next to Public Key Policies and press Encrypted Data Recovery Agents.

04. Right-click the file recovery certificate that is issued to Administrator and press All tasks / export.

05. Press Next.

06. Select No, do not export the private key and press Next.

07. Select the DER Encoded Binary X.509 (.CER) option and press Next.

08. Enter a filename when prompted and press Next.

09. Verify the options that you select and press Finish.

10. Press OK when the export was successful dialog is displayed.

11. Start / Run / secpol.msc / OK.

12. Press the plus sign (+) next to Public Key Policies and press Encrypted Data Recovery Agents.

13. Right-click the file recovery certificate that is issued to Administrator and press Delete.

14. When prompted to Permanently delete the selected certificate, press Yes.

15. Close the MMC and retart your computer.

If you wish to enable EFS after performing the above 15 steps:

01. Log on using the built-in Administrator account.

02. Start / Run / secpol.msc / OK.

03. Press the plus sign (+) next to Public Key Policies.

04. Right click Encrypted Data Recovery Agents and press Add.

05. Press Next and Browse Folders.

06. Open the certificate that you exported in step 08 above. Don't worry that the users is USER_UNKNOWN.

07. Press Next and Finish.

08. Press OK to The certificate cannot be validated message and press OK.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like