JSI Tip 2649. How do I disable EFS for all computers in a Windows 2000 domain?

To disable EFS in your domain:

1. Start / Programs / Administrative Tools / Active Directory Users and Computers.

2. Right click the domain and press Properties.

3. On the Group Policy tab, select the Default Domain Policy and press the Edit button.

4. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesEncrypted Data Recovery Agents and delete any certificates that appear in the right hand pane.

5. Right-click Encrypted Data Recovery Agents and press Delete Policy and Yes.

6. Right-click Encrypted Data Recovery Agents and press Initialize Empty Policy.

If a user on a workstation to which this policy is applied attempts to set encryption attributes, they receive:

Error Applying Attributes
An error occurred applying attributes to the file:

There is no encryption recovery policy configured for this system.

NOTE: The Empty Policy turns off EFS. Without this step, the default local policy would apply.