RE: Credential Roaming + EFS - how to cleanup user certificates ?

Giganews Newsgroups
Subject: RE: Credential Roaming + EFS - how to cleanup user certificates ?
Posted by:  CJespersen (asktheexperts@community.nospam)
Date: Tue, 29 Jul 2008


I just want to inform you that this seems to be a Vista design issue. I am
waiting for MS Support stating what our options are to get this to work.

kind regards

Claus Jespersen

"CJespersen" wrote:

> "Hi
> We have a major issue. Thousands of EFS certificates have been issued to
> various users. The problem was only found because a user got an error when
> trying to copy an entry from the Global Address List to a local Contacts.
> Reason being that 25 certificates existed for that user which was too much
> for the copy process into the local Contacts.
> Following up on this, we found that almost all users have multiple EFS
> certificates, some up to 50 certs or more. The domain supports about 5.000
> users, meaning that way to many certs have been issued. Now we need to clean
> up and remove unnecessary certificates - at the same time we need to assure
> that the configuration/setup is correct so that future use of EFS and
> credential roaming works as expected.
> Credential roaming is enabled and EFS is used for Offline files for all
> laptops in order to encrypt all company data when used offline.
> The environment is Vista clients and Windows Server 2003 SP1/SP2  AD/Servers.
> The encryption works fine using EFS. In order to be able to access data on
> different computers, credential roaming is used together with EFS for offline
> file encryption. This means that EFS user certificates will be available on
> all domain computers where the user logs in.
> Now we found out that way to many EFS certificates have been deployed.
> We are wondering if the EFS certificate template settings are correct.
> The current EFS template is based on a copy of default V1 EFS template into
> a v2 template with the following settings
> - "Publish Certificate in Active Directory" is currently enabled
> - "Do not automatically reenroll if a duplicate certificate exists in Active
> Directory" was not enabled, but we changed it right now in order to avoid
> more certificates being issued for the time being, until we found the right
> solution. - so now it is enabled.
> - Auto-enrollment is enabled for the users (and computers)
> - Credential roaming GPO is enabled for all normal users located in a
> special OU.
> - EFS is enabled for all laptops in specifics OU's
> - Encryption of offline files is enabled together with EFS
> - Folder redirection of users document directory is enabled, automatically
> making them available offline.
> Now I come to the questions
> 1) what is the correct certificate template settings when using
> auto-enrollment together with EFS. Is it necessary to enable "publish to AD"
> at all, when using credential roaming, as this mechanism copies certs from
> one user cert store to another through AD? Various documentation and other
> posts in this newsgroup indicate different settings.
> 2) Any suggestions on how to clean up all the EFS certs without loosing data
> and without bothering the clients/users too much?
> Any suggestions will be highly appreciated
> kind regards
> CJ


In response to

Credential Roaming + EFS - how to cleanup user certificates ? posted by CJespersen on Mon, 5 May 2008