Re: adding EFS Recovery agents

From: Andrew (foo@bar.com)
Date: 05/31/02 

From: "Andrew" <foo@bar.com>
Date: Fri, 31 May 2002 15:01:18 -0500

I'm on a Win2K platform. I'll give that a shot. I kept trying to import a
key from an existing user, but I never thought of reusing the key for
multiple users.

Thanks,

Andrew

"Eduard Koller" <ek107129@hotmail.com> wrote in message
news:3cf7bbde$1@news.microsoft.com...
> Is your machine Win2k, or is it XP?
>
> - On win2k, you already have a EFS recovery certificate for the
> Administrator. You can export that certificate to a .PFX (including the
> key), then to a .CER (with no key). Give the .PFX file to any user, and
> after they install it, they will be able to decrypt the files.
> - On XP, you can use the command line tool cipher (with /R) to generate
an
> EFS recovery agent key and certificate. Then, you hand the PFX to the user
> to install it, and add the contents of the .CER to the EFS recovery
policy.
>
> Please let me know if this helps.
>
> Thanks,
>
> Eddy Koller
> Public Key Security QA Team
> Microsoft Corporation
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples, if any, are subject to the terms specified
> at http://www.microsoft.com/info/cpyright.htm
>
>
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples, if any, are subject to the terms specified
> at http://www.microsoft.com/info/cpyright.htm
> "Andrew" <foo@bar.com> wrote in message
news:O7H#EeMCCHA.1544@tkmsftngp02...
> > Has anyone had any luck or know how to add an EFS recovery agent on a
> > stand-alone machine. MS makes it sound easy, but doesn't go into detail
> > except for a domain model. If I try to add a recovery agent the wizard
> > prompts for an AD user or a cer file, but other users on the box don't
> have
> > this capacity in their certs.
> >
> > Enterprise CAs can issue this type of cert, but I think only to domain
> > accounts. I would like to add accounts other than the built in admin as
a
> > recovery agent but I am beginning to think it is not possible on a
stand
> > alone machine.
> >
> > Thanks for any help,
> >
> > Andrew
> >
> >
> >
> >
>
>

Relevant Pages

  • EFS and Certificates on Standalone XP Pro
    ... the certificate for EFS Recovery Agent. ... >run the DATA RECOVERY AGENT WIZARD and specify this new ...
    (microsoft.public.windowsxp.security_admin)
  • Re: adding EFS Recovery agents
    ... Is your machine Win2k, or is it XP? ... You can export that certificate to a .PFX (including the ... EFS recovery agent key and certificate. ... > Has anyone had any luck or know how to add an EFS recovery agent on a> stand-alone machine. ...
    (microsoft.public.win2000.security)
  • Re: adding EFS recovery agents
    ... Is your machine Win2k, or is it XP? ... You can export that certificate to a .PFX (including the ... EFS recovery agent key and certificate. ... > Has anyone had any luck or know how to add an EFS recovery agent on a> stand-alone machine. ...
    (microsoft.public.security)
  • Re: EFS and Certificates on Standalone XP Pro
    ... "geek" feature than an "average user" feature, ... > the certificate for EFS Recovery Agent. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Protect folder data.
    ... >that will 1) en-crypt the data in the folder and/or 2) require a password ... >Win2k and XP with NTFS are able to encrypt files on your disk. ... Yes, but if you're in a domain, there will always be a recovery agent. ... If you're not in a domain environment, ...
    (Security-Basics)