Hi,
I have a following problem: I apply a EFS DRA by Local GPO (gpedit.msc) for a computer which is in a domain, and despite the fact that domain DOESN'T set any EFS settings ("not defined" is set; RSoP shows "Public Key Policies-------------------N/A"),
but no DRA is used during the encryption. The problem is that it DID work before attaching this computer into the domain.
Symptoms:
- on gpedit.msc I can see that DRA is set (that's OK);
- all other settings from gpedit WORKS, only DRA is not working (for instance: "allow", "not allowed" effect the system without problem) (that's OK);
- running RSoP shows that DRA is NOT visible (that's not OK), but other EFS settings are applied ;
- on RSoP Precedence page I can see that
only "Local Group Policy" is listed and enabled (that's OK);
Remarks:
- all computers which are not in a domain works with the same settings (then: RSoP lists the DRA);
- in our domain EFS is set to "Not Defined" but we use "extended 2003" schema, not a full 2008 schema. The 2003 schema part is set in EFS ("Allow users to encrypt ... EFS");
During the investigation I found out following facts:
- Process Monitor shows that EFSBlob setting in the registry is set PROPERLYand after a while svchost.exe is setting EMPTY value to it;
- on "gpupdate /force" command I can see that svchost.exe sets EFSBlob properly and after couple of instruction it sets empty value to it! So it seems that resolved settings contain 2 values for EFSBlob field!
- ntuser.pol files contains TWO entries for "EFSBlob" field, first is OK (my certificate), and second contains empty value (1 0 1 0 0 0 0);
To be honest, it seems to me as some kind of a bug in LGPO in Win7 (I didn't test it on other OSes).
Regards, Andrew