Policy Enforcement

EFS enforces policy each time an encrypted file is opened. The existing recovery information is checked to ensure that it is based on current policy. If it is not, new recovery information is generated for the file. This keeps the recovery information up to date on all files that are being used. To perform recovery, you can view EFS recovery policy to see which recovery agent administrators you can send the file to for recovery. If the file has not been opened for a long time, the recovery agent information might be obsolete. You can use the efsinfo command to display the recovery agent information contained in encrypted files. For more information about efsinfo , see "Viewing Recovery Agent Information" later in this chapter.

You can assign one or more recovery agent accounts to a group of computers within a domain by using Group Policy to designate that group as an organizational unit. Any of the designated recovery accounts can be used to recover users' files for that organizational unit.

A policy with no recovery certificates — called an empty policy — disables EFS on all computers in its scope. An empty policy is distinct from no policy, where the recovery agent certificates are deleted from EFS recovery policy. "No policy" implies "don't care" and, therefore, each computer can use its locally defined policy.

By EFS rules, a recovery policy with any invalid certificate is invalid as a whole, and EFS is turned off for any new encryptions. Existing encrypted files can still be decrypted.

By default, Group Policy is inherited and cumulative, and is applied from the broadest scope to the narrowest. When a user logs on to the domain controller, the site policy is applied first, then the domain policy, and finally the organizational unit policy. If the computer has a local policy, it applies only in stand-alone mode and is superseded by the organizational unit policy when the computer is joined to a domain. The order of policy importance is the reverse: If there are contradictions in policy between the site, domain, or organizational unit, the policy that takes precedence is the one applied at the scope closest to the user.

For an example, let's say the site recovery agent account is RECOV1 and neither the domain nor the organizational unit that you are joining has a policy.

  • You log on to the network and join the domain. RECOV1 is applied, then "no policy" and another "no policy." There is no conflict here, so RECOV1 automatically becomes your recovery agent account.

  • Now let's say the domain has a designated recovery agent account, RECOV2. RECOV2 takes precedence over RECOV1 and becomes your recovery agent account.

  • Let's say that, instead of "no policy," the organizational unit has an empty policy. This takes precedence and disables EFS, so you cannot use it.

  • Suppose LOCRECOV is the stand-alone recovery agent account for the computer. It is ignored because the organizational unit policy takes effect when you join the domain. If you leave the domain by removing your account from the domain controller, LOCRECOV becomes the agent again.

When you configure Group Policy, you have the following options:

  • Block policy inheritance, so lower-level organizational units do not inherit the policy from the parent site, domain, or organizational units.

  • Prevent a lower-level policy from overriding or superceding policy from a parent site, domain, or organizational unit.

For more information about Group Policy, see Group Policy Help and "Group Policy" in this book.

You can associate multiple Group Policy objects with a single site, domain, or organizational unit; and you can prioritize how these Group Policy objects affect the directory object to which they are applied. Conversely, multiple sites, domains, and organizational units can use a single Group Policy object. Any site, domain, or organizational unit can be associated with any Group Policy object, even across domains in the same forest.

Administrators can exempt certain computers from inheriting Group Policy from the domain to which they belong. In such cases, with regard to Group Policy, the computer functions as if it were a stand-alone computer.

Active Directory can accommodate a wide range of implementation scenarios. A computer can exist in multiple nested organizational units and have more than one Group Policy object applied to it. Because the directory is stored on all domain controllers, it scales to organizations with many thousands of users.