[gptalk] Re: Public key policies defined but not really?

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jun 2008 09:38:11 +1000

Hi Jason,


An approach that may work, is to create an ADM template to manage the keys
you want removed, then disable those Policies. At best this would be
considered a "non Standard" approach.


This is based on my belief that these entries are held in the Registry.POL
file and so should be manageable via an ADM file. The difficulty may be that
they are stored as Binary fields which is not normally supported by ADM


An even less standard way of doing it is to edit the Registry.POL file
directly and remove the entries!


If you are interested, send me the registry.pol file and I will play around
with it. It will be under the MACHINE branch for that policy.


Alan Cuthbertson



 Policy Management Software:-



ADM Template Editor:-



Policy Log Reporter(Free)









From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason B. Halladay
Sent: Wednesday, 11 June 2008 8:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Public key policies defined but not really?


We have a GPO in our environment that is linked to numerous OUs in our
domain that has some unneeded Public Key policy settings defined that I'd
like to get rid of. The settings show up in the GPMC under the settings tab
and domain computers are indeed receiving the policy settings.  However,
when I go to edit the GPO in the GPOE and drill down to the settings
(Computer Config/Windows Settings/Security Settings/Public Key
Policies/Encrypting File System) I receive the message:

"No Encrypting File System Policies Defined. This group policy has no
encrypting file system policies defined directly on it. To define a policy,
you can click on the Encrypting File System node and select Add Data
Recovery Agent, Create Data Recovery Agent or Do Not Require Data Recovery
Agents from the All Tasks menu."

I'm guessing I will ultimately end up just creating a new GPO without the
PKI policies and re-linking to all the OUs this one is currently linked to,
but I thought I'd see if anyone had any other suggestions.  The GP
management machine is a Win2003 SP2 server. The GPO was created long ago
when the domain was at Windows 2000 mixed functional level. We are now at
Windows Server 2003 functional level.  I'm thinking that maybe the PKI
policies were defined under a different functional level and now they cannot
be modified under the new one? We have not created any data recovery agents
in the domain and don't intend to.  I suspect this might have something to
do with it? 



Jason Halladay


Other related posts: