| Q: | Does the default EFS Recovery Agent certificate template satisfy the design requirements for the Lucerne Publishing EFS project? |
| A: | Yes. There are no specific design requirements for the enrollment of the EFS Recovery Agent certificate template. By assigning permissions so that only members of the internal audit department have Read and Enroll permissions, the enrollment is restricted to approved users. |
| Q: | Does the default Key Recovery Agent certificate template satisfy the design requirements for the Lucerne Publishing EFS project? |
| A: | Yes. There are no specific design requirements for the enrollment of the Key Recovery Agent certificate template. By default, members of the Enterprise Admins group have Read and Enroll permissions for the Key Recovery Agent certificate template. |
| Q: | Do the design requirements allow the EFS Recovery Agent and Key Recovery Agent certificate templates to be published only at the Lucerne Publishing Americas CA? |
| A: | Yes. It does not matter which issuing CA in the CA hierarchy publishes these certificate templates. As long as the issued certificates chain to the Lucerne Publishing Root CA certificate, they are recognized at all locations in the Lucerne Publishing network. |
| Q: | Does Andy’s proposed solution meet the design requirements for designation of key recovery agents in the forest? |
| A: | No. The design requirements demand that key archival and recovery are enabled only at the Lucerne Publishing Americas CA. To meet the requirements, the key recovery agents from each region should be designated as key recovery agents at the Lucerne Publishing Americas CA. The proposed solution designates only a single key recovery agent at each region’s CA, enabling key archival at all issuing CAs, not just the Lucerne Publishing Americas CA. |
| Q: | Is EFS encryption disabled for all computers running Windows XP not in the OU named OU=Notebooks,OU=Computer Accounts,DC=lucernepublish,DC=msft? |
| A: | No. The configured GPO resorts to using the locally defined EFS recovery agent. To prevent encryption at the computers running Windows 2000, an empty Encrypting File System policy must be defined. The application of no Encrypting File System policy results in the use of the EFS encryption settings defined in the local security policy. |
| Q: | Does Andy’s proposed design disable EFS encryption for computer accounts of computers running Windows XP and Windows Vista not in the OU named OU=Notebooks,OU=Computer Accounts,DC=lucernepublish,DC=msft? |
| A: | No. The design does not disable EFS encryption for any computers running Windows XP. To disable EFS encryption for computers running Windows XP and Windows Vista, clear the Allow Users To Encrypt Files Using Encrypting File System (EFS) check box on the property sheet of the Encrypting File System Group Policy setting (for Windows XP) or select the Don’t Allow option for Windows Vista. |
| Q: | Does the Lucerne Publishing EFS certificate template allow for autoenrollment by Windows Vista users? |
| A: | Yes. The certificate template correctly enables Read, Enroll, and Autoenroll permissions for the Lucerne Publishing EFS certificate template. |
| Q: | Does the proposed EFS Autoenrollment GPO enable autoenrollment of the Lucerne Publishing EFS certificate template by users with computers running Windows XP? |
| A: | No. The EFS Autoenrollment GPO must be applied to the OU where the user accounts, not the computer accounts, exist. The EFS Autoenrollment GPO must also be modified to enable autoenrollment for user accounts, not computer accounts. Because no user OUs are defined, you can define the GPO at the Lucernepublish.com domain, but limit Read, Enroll, and Autoenroll permissions to members of a custom universal or global group. |
