Hi Jason, An approach that may work, is to create an ADM template to manage the keys you want removed, then disable those Policies. At best this would be considered a "non Standard" approach. This is based on my belief that these entries are held in the Registry.POL file and so should be manageable via an ADM file. The difficulty may be that they are stored as Binary fields which is not normally supported by ADM templates. An even less standard way of doing it is to edit the Registry.POL file directly and remove the entries! If you are interested, send me the registry.pol file and I will play around with it. It will be under the MACHINE branch for that policy. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason B. Halladay Sent: Wednesday, 11 June 2008 8:58 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Public key policies defined but not really? We have a GPO in our environment that is linked to numerous OUs in our domain that has some unneeded Public Key policy settings defined that I'd like to get rid of. The settings show up in the GPMC under the settings tab and domain computers are indeed receiving the policy settings. However, when I go to edit the GPO in the GPOE and drill down to the settings (Computer Config/Windows Settings/Security Settings/Public Key Policies/Encrypting File System) I receive the message: "No Encrypting File System Policies Defined. This group policy has no encrypting file system policies defined directly on it. To define a policy, you can click on the Encrypting File System node and select Add Data Recovery Agent, Create Data Recovery Agent or Do Not Require Data Recovery Agents from the All Tasks menu." I'm guessing I will ultimately end up just creating a new GPO without the PKI policies and re-linking to all the OUs this one is currently linked to, but I thought I'd see if anyone had any other suggestions. The GP management machine is a Win2003 SP2 server. The GPO was created long ago when the domain was at Windows 2000 mixed functional level. We are now at Windows Server 2003 functional level. I'm thinking that maybe the PKI policies were defined under a different functional level and now they cannot be modified under the new one? We have not created any data recovery agents in the domain and don't intend to. I suspect this might have something to do with it? Thanks! Jason -- Jason Halladay