|
Home > Archive > 70-210 > July 2002 > Tue W2K Professional Ouestion of the Day
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Tue W2K Professional Ouestion of the Day
|
|
| wbafrank 2002-07-16, 4:27 pm |
|  And today's poser is ....
Q13. You would like to disable the use of Encrypting File System (EFS) on all of the Windows 2000 Professional computers on your corporate LAN. To do so, you delete the default recovery agent (the Administrator account) that is associated with the Default Domain Policy GPO. After performing this action, you test it and verify that users are unable to encrypt files and folders on their workstations. However, later you discover that some users are indeed encrypting files. What should you do to ensure that no users can perform encryption on any files on their computers in the future?
A. Remove all user accounts from the Power Users group. Run the cipher utility on all of the client computers using the "d" and "s" switches.
B. Delete the Default Domain Policy GPO.
C. Reinstate the Administrator as the default recovery agent for the Default Domain Policy GPO. Remove the Administrator as the default recovery agent for the Local GPO on all of the Windows 2000 Professional machines.
D. At the Encrypted Data Recovery Agents node in the Default Domain Policy GPO, click Delete Policy and then click Initialize Empty Policy.
E. Set the Default Domain Policy GPO to Block Inheritance.
Good Luck .... see you tomorrow for the answer!! | |
| denis_baribeau 2002-07-17, 6:25 am |
| This would be
D. At the Encrypted Data Recovery Agents node in the Default Domain Policy GPO, click Delete Policy and then click Initialize Empty Policy.
 | |
|
|
| robertmillar 2002-07-17, 11:51 am |
| D | |
| NetChild1985 2002-07-17, 12:31 pm |
| "D" is correct! | |
| Deja-vue 2002-07-17, 1:31 pm |
| D it is. | |
| jsrockford 2002-07-17, 1:53 pm |
| "D"itto! | |
| wbafrank 2002-07-17, 4:57 pm |
| quote:
Originally posted by wbafrank
And today's poser is ....
Q13. You would like to disable the use of Encrypting File System (EFS) on all of the Windows 2000 Professional computers on your corporate LAN. To do so, you delete the default recovery agent (the Administrator account) that is associated with the Default Domain Policy GPO. After performing this action, you test it and verify that users are unable to encrypt files and folders on their workstations. However, later you discover that some users are indeed encrypting files. What should you do to ensure that no users can perform encryption on any files on their computers in the future?
A. Remove all user accounts from the Power Users group. Run the cipher utility on all of the client computers using the "d" and "s" switches.
B. Delete the Default Domain Policy GPO.
C. Reinstate the Administrator as the default recovery agent for the Default Domain Policy GPO. Remove the Administrator as the default recovery agent for the Local GPO on all of the Windows 2000 Professional machines.
D. At the Encrypted Data Recovery Agents node in the Default Domain Policy GPO, click Delete Policy and then click Initialize Empty Policy.
E. Set the Default Domain Policy GPO to Block Inheritance.
And the answer is ....
Correct Answer: D
By removing the default recovery agent from the Default Domain Policy GPO, you have created a data recovery policy of "no policy" rather than an "empty" policy. Setting up "no policy" (deleting policy) allows for the use of the default local policy on computers, in effect permitting local administrators to control the recovery of data on their individual computers. Setting up an "empty policy" turns EFS off, so that users are unable to encrypt files on computers that fall into this category. Because policies are cumulative, enforcing an empty policy at the domain level ensures that all Windows 2000 domain clients are denied EFS capabilities.
To disable EFS throughout a Windows 2000-based domain, modify the "Default Domain Policy" group policy object:
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. View the appropriate node for your domain, right- click this node, and then click Properties.
3. Click the Group Policy tab, click the Default Domain Policy GPO, and then click Edit. Note that you do not need to use the Default Domain Policy, you can use a new GPO such as Disable EFS to accomplish the same task.
4. In the Group Policy Editor Snap-In, view the following node:
Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies\ Encrypted Data Recovery Agents
NOTE: If any certificates exist in the right side pane, delete them.
5. Right-click the Encrypted Data Recovery Agents node, click Delete Policy, and then click Yes.
6. Right-click the Encrypted Data Recovery Agents node, and then click Initialize Empty Policy. |
|
|
|
|
