How to prevent profile creation on server even when an encypted file is copied in plain text mode

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

If we attempt to copy a Local Encrypted File to a Network Share of a Windows 2003 Server.

We receive the following warning message:

"The file 'file_name' cannot be copied or moved without losing its encryption.

You can choose to ignore this error and continue, or cancel.

IGNORE IGNORE ALL CANCEL

Clicking IGNORE copies the Files on the Network Share in plain text (unencrypted).

To prevent the profile creation, follow the below procedure.

Solution is to disable the Encrypting File System (EFS) on the server.

Method 1: Edit a domain-level group policy

1. In the console tree, go to the following location:
   Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System
2. Right-click Encrypting File System, and then click Properties.
3. Click to clear the Allow users to encrypt files using Encrypting File System (EFS) check box.

Essentially this Group Policy sets below registry keys and values which are checked by EFS during user operations.�

����HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\CurrentVersion\EFSValue : EfsConfiguration -> DWORD 1�

����HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\WindowsNT\CurrentVersion\EFSValue : LastGoodEfsConfiguration -> DWORD 1

Method 2: Turn off EFS for the standalone computers (non-domain joined)

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\
Value : Efsconfiguration -> DWORD 1

Please note that disabling EFS will of course not allow using file encryption on the Server where the change is made.

This is expected if the server is not Trusted for Delegation. (Does not support encryption).

This also creates the Profile on the Server for the User copying the File.

The Profile does not create anything (Like Users Private Key's of the certificate) Just an empty folder.

If the numbers of users are high in count, this will pose a problem on server consuming disk space.

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.