Microsoft KB Archive/936919

From BetaArchive Wiki
Knowledge Base


Windows 2000-related entries still appear in an Encrypting File System recovery policy after you upgrade a Windows 2000 domain to Windows Server 2003

Article ID: 936919

Article Last Modified on 5/24/2007


APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server


SYMPTOMS

After you upgrade a Microsoft Windows 2000 domain to Microsoft Windows Server 2003, an Encrypting File System (EFS) recovery policy that you created still has the Windows 2000-related entries. Additionally, no user interface is available to edit these entries. Therefore, you cannot prevent the outdated certificate chains from being downloaded to client computers in the domain.

CAUSE

This problem occurs if the original EFS recovery policy was defined by using the Windows 2000 Group Policy Microsoft Management Console (MMC) snap-in (gpedit.msc). In this scenario, the whole certificate chain is included with the EFS recovery policy. Also, the whole certificate chain is copied to each client computer to which the policy applies.

When the policy is applied, the whole certificate chain, except for the root certificate, is installed in the Intermediate store on each client computer. If the policy is removed or replaced, the certificate entries are not removed. If you delete the certificate entries from each client computer, they are again installed when the client computer updates Group Policy.

Note In Windows Server 2003, the Group Policy code is improved. Therefore, an EFS recovery policy no longer copies the certificate chain or the recovery certificate to the client computer's Intermediate store. Additionally, the code in Microsoft Windows XP is improved over that of Windows 2000. In Windows XP, the certificate chaining code uses the best available certificate to create the certificate chain.

WORKAROUND

To work around this problem, replace the Registry.pol file in the EFS recovery policy. Do this by using the Registry.pol file from an EFS recovery policy that you create on a computer that is running Windows 2000 Service Pack 3 (SP3) or Windows XP.

To do this, follow these steps:

  1. Create a new temporary EFS recovery policy. To do this, follow these steps:
    1. Start the Active Directory Users and Computers MMC snap-in.
    2. Right-click the domain object, and then click Properties.
    3. Click the Group Policy tab, and then click New. Type a descriptive name for the Group Policy object, and then press ENTER.
    4. Click Edit.
    5. Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
    6. Right-click Encrypted Data Recovery Agents, and then click Add.
    7. Follow the steps in the Add Recovery Agent Wizard to add a user.

      Note The user must have a certificate that is intended for file recovery.
    8. Close the Group Policy MMC snap-in.
  2. Note the GUID that corresponds to the temporary EFS recovery policy that you created. To do this, follow these steps:
    1. In the Group Policy Object Link list, click the EFS recovery policy that you created, and then click Properties.
    2. On the General tab, note the GUID that appears next to Unique name. For example, {694C503A-F0C2-41F8-A985-5CF7677BCB75}.
    3. Click Cancel.
  3. Note the GUID that corresponds to the original EFS recovery policy. To do this, follow these steps:
    1. In the Group Policy Object Links list, click the original EFS recovery policy, and then click Properties.
    2. On the General tab, note the GUID that appears next to Unique name.
    3. Click Cancel.
  4. Click OK to exit the Example.com Properties dialog box.
  5. Connect to the SYSVOL share of the computer that is running the Primary Domain Controller (PDC) operations master role. To do this, click Start, click Run, type \\domainControllerName\sysvol, and then click OK.
  6. Double-click Example.com, and then double-click Policies.
  7. Copy the Registry.pol file from the EFS recovery policy that you created in step 1. To do this, follow these steps:
    1. Double-click the GUID that corresponds to the EFS recovery policy that you created. For example, double-click {694C503A-F0C2-41F8-A985-5CF7677BCB75}.
    2. Double-click Machine, right-click Registry.pol, and then click Copy.
  8. Replace the Registry.pol file in the original EFS recovery policy with the Registry.pol file that you copied in step 7. To do this, follow these steps:
    1. Click Back two times to return to the following folder:

      \\domainControllerName\SYSVOL\example.com\Policies

    2. Double-click the GUID that corresponds to the original EFS recovery policy, and then double-click Machine.
    3. Right-click Registry.pol, and then click Rename. Rename Registry.pol to Registry.pol.old.
    4. On the Edit menu, click Paste.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

887414 How to add an EFS recovery agent in Windows XP Professional


222022 How to disable EFS for all computers in a Windows 2000-based domain


For more information about how to create a recovery policy, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/288af14d-66e3-4cee-bc3d-38795b046c251033.mspx?mfr=true


Keywords: kbtshoot kbprb KB936919



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/936919&oldid=229955
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki