Difference between revisions of "Deploy EFS using GPO"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 4: | Line 4: | ||
What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following | What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following | ||
<br> | <br> | ||
| − | + | #Enable EFS | |
| − | + | #Push EFS to all users on the domain | |
| − | + | #Only encrypt sensitive files | |
| − | + | #Have a way to decrypt in an emergency (should never be needed, but I get paranoid with data). | |
<br> | <br> | ||
<b>1.</b> | <b>1.</b> | ||
| + | <br> | ||
| + | *Create a DRA (Data Recovery Agent) user. This user does not need any special permissions other than being able to log in. | ||
| + | *Log in as the new DRA user, open a command prompt, and run the following command to create the self signed certs. | ||
| + | cipher /r:<certname> | ||
| + | *You will be asked for a password to protect the private key with. Please make sure you remember what it is. | ||
| + | *Move the cert to a secure location and now head back to the domain controller as admin. | ||
| + | <br> | ||
| + | <b>2.</b> | ||
<br> | <br> | ||
*Open up Group Policy Manager | *Open up Group Policy Manager | ||
| + | *Either edit the default domain policy or create a new GPO under the OU of your choice.<br> | ||
| + | <i>NOTE</i> : The GPO will be applying policies to the computer and not just the users, so ensure the computers that will be included for encryption are in an OU under the GPO. | ||
| + | * | ||
| Line 20: | Line 31: | ||
https://support.microsoft.com/en-us/kb/937536<br> | https://support.microsoft.com/en-us/kb/937536<br> | ||
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx<br> | https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx<br> | ||
| + | https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html<br> | ||
Revision as of 13:57, 20 June 2016
This has been a fun ride figuring out what Windows wanted from me in order to make this happen.
Without Using CA Server
What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following
- Enable EFS
- Push EFS to all users on the domain
- Only encrypt sensitive files
- Have a way to decrypt in an emergency (should never be needed, but I get paranoid with data).
1.
- Create a DRA (Data Recovery Agent) user. This user does not need any special permissions other than being able to log in.
- Log in as the new DRA user, open a command prompt, and run the following command to create the self signed certs.
cipher /r:<certname>
- You will be asked for a password to protect the private key with. Please make sure you remember what it is.
- Move the cert to a secure location and now head back to the domain controller as admin.
2.
- Open up Group Policy Manager
- Either edit the default domain policy or create a new GPO under the OU of your choice.
NOTE : The GPO will be applying policies to the computer and not just the users, so ensure the computers that will be included for encryption are in an OU under the GPO.
https://www.youtube.com/watch?v=vUCf4SPDqCQ
https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx
https://technet.microsoft.com/en-us/magazine/2007.03.securitywatch.aspx
https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/
https://support.microsoft.com/en-us/kb/937536
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html
