Skip navigation

JSI Tip 2649. How do I disable EFS for all computers in a Windows 2000 domain?

To disable EFS in your domain:

1. Start / Programs / Administrative Tools / Active Directory Users and Computers.

2. Right click the domain and press Properties.

3. On the Group Policy tab, select the Default Domain Policy and press the Edit button.

4. Navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents and delete any certificates that appear in the right hand pane.

5. Right-click Encrypted Data Recovery Agents and press Delete Policy and Yes.

6. Right-click Encrypted Data Recovery Agents and press Initialize Empty Policy.

If a user on a workstation to which this policy is applied attempts to set encryption attributes, they receive:

Error Applying Attributes
An error occurred applying attributes to the file:

<file name>

There is no encryption recovery policy configured for this system.

NOTE: The Empty Policy turns off EFS. Without this step, the default local policy would apply.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.