[gptalk] Public key policies defined but not really?

  • From: "Jason B. Halladay" <jason@xxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 10 Jun 2008 16:57:41 -0600

We have a GPO in our environment that is linked to numerous OUs in our domain that has some unneeded Public Key policy settings defined that I'd like to get rid of. The settings show up in the GPMC under the settings tab and domain computers are indeed receiving the policy settings. However, when I go to edit the GPO in the GPOE and drill down to the settings (Computer Config/Windows Settings/Security Settings/Public Key Policies/Encrypting File System) I receive the message:

"No Encrypting File System Policies Defined. This group policy has no encrypting file system policies defined directly on it. To define a policy, you can click on the Encrypting File System node and select Add Data Recovery Agent, Create Data Recovery Agent or Do Not Require Data Recovery Agents from the All Tasks menu."

I'm guessing I will ultimately end up just creating a new GPO without the PKI policies and re-linking to all the OUs this one is currently linked to, but I thought I'd see if anyone had any other suggestions. The GP management machine is a Win2003 SP2 server. The GPO was created long ago when the domain was at Windows 2000 mixed functional level. We are now at Windows Server 2003 functional level. I'm thinking that maybe the PKI policies were defined under a different functional level and now they cannot be modified under the new one? We have not created any data recovery agents in the domain and don't intend to. I suspect this might have something to do with it?



Jason Halladay

Other related posts: