Re: adding EFS recovery agents

From: Eduard Koller (ek107129@hotmail.com)
Date: 05/31/02

• Next message: Ned Flanders: "Re: How to get IIS5 functional again"
• Previous message: Michel Gallant: "Re: How to get IIS5 functional again"
• In reply to: Andrew: "adding EFS recovery agents"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Eduard Koller" <ek107129@hotmail.com>
Date: Fri, 31 May 2002 11:04:36 -0700

Is your machine Win2k, or is it XP?

 - On win2k, you already have a EFS recovery certificate for the
Administrator. You can export that certificate to a .PFX (including the
key), then to a .CER (with no key). Give the .PFX file to any user, and
after they install it, they will be able to decrypt the files.
 - On XP, you can use the command line tool cipher (with /R) to generate an
EFS recovery agent key and certificate. Then, you hand the PFX to the user
to install it, and add the contents of the .CER to the EFS recovery policy.

Please let me know if this helps.

Thanks,

Eddy Koller
Public Key Security QA Team
Microsoft Corporation

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples, if any, are subject to the terms specified
at http://www.microsoft.com/info/cpyright.htm
"Andrew" <foo@bar.com> wrote in message news:uX52NnLCCHA.1880@tkmsftngp04...
> Has anyone had any luck or know how to add an EFS recovery agent on a
> stand-alone machine. MS makes it sound easy, but doesn't go into detail
> except for a domain model. If I try to add a recovery agent the wizard
> prompts for an AD user or a cer file, but other users on the box don't
have
> this capacity in their certs.
>
> Enterprise CAs can issue this type of cert, but I think only to domain
> accounts. I would like to add accounts other than the built in admin as a
> recovery agent but I am beginning to think it is not possible on  a stand
> alone machine.
>
> Thanks for any help,
>
> Andrew
>
>

---

• Next message: Ned Flanders: "Re: How to get IIS5 functional again"
• Previous message: Michel Gallant: "Re: How to get IIS5 functional again"
• In reply to: Andrew: "adding EFS recovery agents"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: adding EFS Recovery agents ... I'm on a Win2K platform. ... You can export that certificate to a .PFX (including the ... > EFS recovery agent key and certificate. ... (microsoft.public.win2000.security) EFS and Certificates on Standalone XP Pro ... the certificate for EFS Recovery Agent. ... >run the DATA RECOVERY AGENT WIZARD and specify this new ... (microsoft.public.windowsxp.security_admin) Re: EFS and Certificates on Standalone XP Pro ... "geek" feature than an "average user" feature, ... > the certificate for EFS Recovery Agent. ... (microsoft.public.windowsxp.security_admin) Re: adding EFS Recovery agents ... Is your machine Win2k, or is it XP? ... You can export that certificate to a .PFX (including the ... EFS recovery agent key and certificate. ... > Has anyone had any luck or know how to add an EFS recovery agent on a> stand-alone machine. ... (microsoft.public.win2000.security) Re: problem with EFS Recovery agent ... i have deployed many certificates for my users and the efs recovery agnet ... of crypted data with my begening "efs recovery agent" certificate. ... unable to recover file with this certificate... ... (microsoft.public.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2002-05