|Subject:||Credential Roaming + EFS - how to cleanup user certificates ?|
|Posted by:||CJespersen (firstname.lastname@example.org)|
|Date:||Mon, 5 May 2008|
We have a major issue. Thousands of EFS certificates have been issued to
various users. The problem was only found because a user got an error when
trying to copy an entry from the Global Address List to a local Contacts.
Reason being that 25 certificates existed for that user which was too much
for the copy process into the local Contacts.
Following up on this, we found that almost all users have multiple EFS
certificates, some up to 50 certs or more. The domain supports about 5.000
users, meaning that way to many certs have been issued. Now we need to clean
up and remove unnecessary certificates - at the same time we need to assure
that the configuration/setup is correct so that future use of EFS and
credential roaming works as expected.
Credential roaming is enabled and EFS is used for Offline files for all
laptops in order to encrypt all company data when used offline.
The environment is Vista clients and Windows Server 2003 SP1/SP2 AD/Servers.
The encryption works fine using EFS. In order to be able to access data on
different computers, credential roaming is used together with EFS for offline
file encryption. This means that EFS user certificates will be available on
all domain computers where the user logs in.
Now we found out that way to many EFS certificates have been deployed.
We are wondering if the EFS certificate template settings are correct.
The current EFS template is based on a copy of default V1 EFS template into
a v2 template with the following settings
- "Publish Certificate in Active Directory" is currently enabled
- "Do not automatically reenroll if a duplicate certificate exists in Active
Directory" was not enabled, but we changed it right now in order to avoid
more certificates being issued for the time being, until we found the right
solution. - so now it is enabled.
- Auto-enrollment is enabled for the users (and computers)
- Credential roaming GPO is enabled for all normal users located in a
- EFS is enabled for all laptops in specifics OU's
- Encryption of offline files is enabled together with EFS
- Folder redirection of users document directory is enabled, automatically
making them available offline.
Now I come to the questions
1) what is the correct certificate template settings when using
auto-enrollment together with EFS. Is it necessary to enable "publish to AD"
at all, when using credential roaming, as this mechanism copies certs from
one user cert store to another through AD? Various documentation and other
posts in this newsgroup indicate different settings.
2) Any suggestions on how to clean up all the EFS certs without loosing data
and without bothering the clients/users too much?
Any suggestions will be highly appreciated