Disable EFS in Windows 2000

How can I disable EFS on Computers Running Windows 2000?

To disable EFS on computers running Windows 2000, you must remove the default data recovery agent from the computer. This restriction is removed in Windows XP and Windows Server 2003 to help prevent security attacks on computers that are not members of a domain.

The following procedure will show you how to use Group Policy to disable EFS for all computers running Windows 2000 in a Windows Server 2003 domain.

Note: Before you remove the certificate for the default domain recovery agent, you should back up the certificate by exporting it to a file.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

  1. Open the Default Domain Policy GPO. You can use Active Directory Users and Computers or the GPMC to edit the GPO.
  2. In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.
  3. In the details pane, right-click Administrator, point to All Tasks, and then click Export. Complete the Certificate Export Wizard to export the Administrator’s EFS recovery certificate.

This will export the default EFS recovery certificate for the domain to a file. Store this file on removable media such as a floppy disk, and then store the media in a secure location.

  1. In the details pane, right-click Administrator, and then click Delete.

This will delete the default EFS recovery certificate for the domain.

  1. In the Certificates window, click Yes to permanently delete the certificate.

Important: Deleting the EFS recovery agent for the domain will prevent users on computers running Windows 2000 from encrypting files; however, it will not prevent users on computers running Windows XP and Windows Server 2003 from encrypting files. In addition, it will disable the recovery agent for all encrypted files. If users who have previously encrypted files are unable to decrypt their files for any reason, there will be no recovery agent to decrypt their files.

Related articles

You might also want to read the following related articles:

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: