EFS Recover Agents Unable to decrypt files

From: Fuente (partagas_at_insightbb.com)
Date: 05/21/04 

Date: Fri, 21 May 2004 02:25:49 GMT

> Background:
> Internal Certificate Service running in a 3 tier hierarchy. Enterprise CA,
> Subordinate CA, Exchange CA
> Default Domain administrator and additional domain administrator have
> requested and received EFS Recovery certificates and have been setup on
the
> default domain policy of Security Settings | Public Key Policies |
Encrypted
> Data Recovery Agents
>
> Created a test file on a workstation by a test account with Domain User
> rights. Encrypted the file successfully. In order to test the ability of
the
> Recovery Agents I performed the process described in "Encrypting File
System
> for Windows 2000" white paper but this does not work. From the Windows
> Explorer I get message stating ""Access is Denied" Error Message When
> Encrypting or Decrypting Files or Folders". I also tried going to the
users
> home directory with one of the accounts and attempted to decrypt the file
> and this didn't work either.
>
> TechNet Article 264064 seemed to address the issue but after applying the
> solution, the problem was not resolved. (As a matter of fact, all the
> "System Volume" Folders I inspected on my domain controllers has the
System
> account listed but none of the permission were checked except in one place
> where full was checked on the boot partition of on domain controller.)
>
> When I use the Efsinfo.exe utility the following results are displayed on
> the file in question:( I have changed the domain name and accounts from to
> generic names for privacy. The "Bob.Train" account is a test account.
>
> NOC List.txt: Encrypted
> Users who can decrypt:
> My DOMAIN\Bob.Train (CN=Bob Train)
> Recovery Agents:
> Unknown (CN=Domain Administrator)
> Unknown (CN=Default Domain Administrator)
>
> I am concerned about the "Unknown" entries and am wondering if this is the
> root of the problem. It doesn't appear that the Recovery Accounts are
> getting the permission necessary to perform the function.
>
> I want to make sure that I have the ability to recover encrypted files
> before implementing this across the board. I have search many articles in
> this forum on the subject as well as Microsoft and have yet to find a
> solution. I would like any insight anyone would have in solving this.
>
>

Relevant Pages

  • EFS Recover Agents Unable to decrypt files
    ... Default Domain administrator and additional domain administrator have ... Created a test file on a workstation by a test account with Domain User ... Recovery Agents I performed the process described in "Encrypting File System ...
    (microsoft.public.win2000.file_system)
  • Re: Outlook security
    ... If you are not certian if you have a personal certificate for such ... > a client that could support 128-bit security. ... > and review the mailboxes of accounts of personyou know that are ... I logon with domain administrator previliges but have reconfigured ...
    (microsoft.public.outlook.general)
  • Re: Domain Users to have Local Admin rights
    ... What I would like to add is a warning against using domain administrator ... accounts to logon to user computers. ... So simply put -- don't use accounts that have domain administrator ... permissions for logging on to client computers. ...
    (microsoft.public.windows.server.security)
  • Re: Admin password change
    ... Our Domain Admin acc is only used by myself when I ... require the elevated privileges that it gives. ... backup) use specific service accounts. ... > The problem with using domain accounts (specially domain administrator ...
    (microsoft.public.windows.server.security)
  • RE: Wrn1:7290, Err2:7006, Err2:7005
    ... Yes, the Domain Administrator, Res Migrator and Domain Admins accounts are ... all part of the Local Administrator Group. ... Another interesting thing on that computer is I can remotely add any accounts ... > member of the local administrators group on the client. ...
    (microsoft.public.windows.server.migration)