- Troubleshooting Aids
There are many registry-editing tips and tricks that can be used to customize the
Windows XP or Windows Server 2003 user interface. Unfortunately, it's impossible to
describe them all; even books dedicated to this topic usually only show the top of the
iceberg. Some of these registry-editing techniques can be used as troubleshooting aids. In
this section, I'll describe those that may be the most helpful.
Customizing System Restore for Windows XP Workstations within Your Domain
System Restore, introduced with Windows XP, is one of the most useful features of this
operating system (OS). Unfortunately, some users tend to disable it because it consumes
a lot of free disk space (no less than 200 MB). If you are an administrator, you can
prevent users from disabling System Restore. To achieve this, simply disable the GUI
tools available on Windows XP workstations for configuring System Restore within your
Note To perform these tasks, log on as Administrator or user with administrative
There are two ways of performing this task. Let's consider them both.
Using Group Policy Editor to Disable System Restore
To prevent users from disabling or configuring System Restore:
1. Open the Group Policy tool MMC snap-in, focused on a specific GPO. To do so,
start the Active Directory Users and Computers MMC snap-in, right-click the
name of the domain or organizational unit (OU) of interest, and select the
Properties command from the context menu. Go to the Group Policy tab and
highlight the GPO of interest. (Note that if you haven't created any GPOs, only the
Default Domain Policy will be available.) Click the Edit button.
2. Expand the console tree Computer Configuration | Administrative Templates |
System | System Restore (Fig. 13.10).
- Figure 13.10: Configuring System Restore using Group Policy Editor
3. Double-click Turn off System Restore. On the Setting tab, select Disable. After
you apply this policy, System Restore will be turned on and enforced. Click
Apply, then click OK.
4. Double-click Turn off Configuration. On the Setting tab, select Enable. (For
more information about what these settings do, click the Explain tab on the
Properties dialog box.) Click Apply, then click OK.
5. Open a command prompt and type the gpudate command to refresh the policy.
Note Gpupdate is the command introduced with Windows XP and Windows Server 2003
for refreshing Group Policy. This command replaces the secedit refreshpolicy
command used in Windows 2000. If you choose not to use the gpupdate command,
Group Policy will still refresh; it will just take longer. The settings described above
are only read at boot time; therefore, it is necessary to reboot.
Now, if users try to access System Restore Configuration on their Windows XP
computers within your domain environment, the System Properties dialog box is
present, but the System Restore tab is not.
Using Registry Editor to Disable System Restore
On standalone Windows XP computers or within a workgroup environment, you can
either apply the setting described above in local security policy or make the registry key
modification. As outlined in Chapter 11, applying changes via Local Security Policy is
easier and much safer. However, direct registry editing might be preferable, especially if
you have to update a large number of Windows XP workstations within a workgroup
environment. To use Registry Editor for disabling the System Restore Configuration UI
on a standalone Windows XP computer or within a workgroup environment, proceed as
- 1. Start Regedit.exe and expand the following key:
2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
3. Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT, create a new nested key, named SystemRestore.
4. Within this key, create a new REG_DWORD value named DisableConfig, and set
this value to 1.
5. Close Regedit.exe and reboot the system.
Note You can manage settings by including the modified registry key in a script. More
information on this topic will be provided in Chapter 15.
Problems with Configuring Encrypting File System in a Mixed Environment
Encrypting File System (EFS), first introduced with Windows 2000, protects sensitive
data in files stored on NTFS-formatted disks. Only the user who encrypts a file can open
that protected file and work with it. This is especially useful for securing sensitive data on
computers shared by several users or on portable computers. For example, if someone
else obtains a lost or stolen laptop, that person will be unable to access any of the
encrypted files stored on that disk.
Windows XP and Windows Server 2003 include many improvements over EFS
implementation in Windows 2000. You now have the option of encrypting the Offline
Files database, which could not be encrypted under Windows 2000. To encrypt offline
files, select the Folder Options command from the Tools menu in My Computer or
Windows Explorer, go to the Offline Files tab, and set the Encrypt offline files to
secure data checkbox (Fig. 13.11).
- Figure 13.11: Options for encrypting the Offline Files database
Note Administrative privileges are required to configure how offline files will be
On the other hand, if EFS is not appropriate in your environment, or if you have files that
you do not want encrypted, you can use one of several options to disable EFS. There are
also numerous ways to configure EFS to meet the needs of your organization.
Unfortunately, this is where problems might arise, especially in a mixed environment.
For example, you may have Windows 2000 and Windows Server 2003 domains with
client workstations running Windows 2000 Professional. If you decide to upgrade client
workstations to Windows XP Professional and want to disable EFS, you will notice that
the public key policy, which disables Encrypting File System, has no effect on Windows
Note The same problem exists for Windows 2000 Professional clients joined to a
Windows NT domain, since the Windows NT domain administrator cannot be a
File Recovery Agent. To disable EFS on a computer running Windows 2000
Professional within a Windows NT domain, you must download Microsoft's hotfix
hotfix adds the registry key, which will be discussed later in this section. Note it is
still necessary to change the added registry value to 1 to disable EFS.
- The reason for such behavior lies in the difference between the EFS models implemented
in Windows 2000 and in its successors (Windows XP and Windows Server 2003). The
new EFS model does not require a Data Recovery Agent to be present before files can be
encrypted. In Windows 2000, this requirement was mandatory - no recovery agent, no
encryption. Because of this limitation, you could prevent file encryption within an entire
domain of Windows 2000 clients. You simply had to remove the Data Recovery Agent
certificate from the public key policy and delete the recovery policy.
Windows XP Professional and Windows Server 2003 have no such limitation; they allow
data encryption regardless of the existence of a Data Recovery Agent.
Thus, if you want to disable EFS in Windows XP or Windows Server 2003, it is
necessary to use a different approach. Once again, you have several choices. For
example, on standalone systems or within a workgroup environment, you can choose one
of the following:
Apply the setting in Local Security Policy
Edit the system registry directly
For Windows XP clients joined in a Windows Server 2003 domain, the preferred method
is to use a Group Policy setting. You also could choose to manage the changes by
including the modified registry key in a script. For Windows XP workstations joined to
Windows 2000 domains, you can add the modified registry key to a security template,
and then import that template into Group Policy.
Using Group Policy to Disable EFS in Windows XP and Windows Server 2003
For a standalone Windows XP or Windows Server 2003 system, you can disable EFS
using the following procedure:
1. From the Start menu, select Programs | Administrative Tools | Local Security
2. Expand the console tree and navigate to Local Computer Policy | Computer
Configuration | Windows Settings | Security Settings | Public Key Policies.
3. Right-click the Encrypting File System folder and select the Properties
command from the right-click menu.
4. The Encrypting File System Properties window will open (Fig. 13.12). Notice
that in Windows XP or Windows Server 2003, EFS is enabled by default. To
disable it, clear the Allow users to encrypt files using the Encrypting File
System (EFS) check box. Click OK.
- Figure 13.12: Disabling EFS for a standalone Windows XP or Windows Server
2003 computer through a local security policy setting
5. Open a command prompt and type gpupdate to refresh the policy.
Note Disabling EFS in a Windows Server 2003 domain environment is much like the
procedure for a standalone system. The only difference is that in a domain
environment you need to modify the EFS property page in Group Policy Object
Editor focused on specific GPO and applied to a domain or organizational unit
Disabling EFS Using the Registry
To use the registry to disable EFS on a standalone computer running Windows 2000,
Windows XP, or Windows Server 2003:
1. Start Registry Editor (if you are dealing with Windows 2000, use Regedt32.exe),
and then open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
2. Under this key, create a new REG_DWORD value and name it EfsConfiguration.
To disable EFS, assign it a value of 1. If you need to re-enable EFS, simply
change the value to 0.