Re: adding EFS Recovery agents - related question
From: Andrew (foo@bar.com)
Date: 05/31/02
- Next message: Paul Adare: "Re: local administrator"
- Previous message: Robert Jenkin: "local administrator"
- In reply to: Eduard Koller: "Re: adding EFS Recovery agents"
- Next in thread: Eduard Koller [MS]: "Re: adding EFS Recovery agents - related question"
- Reply: Eduard Koller [MS]: "Re: adding EFS Recovery agents - related question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Andrew" <foo@bar.com> Date: Fri, 31 May 2002 15:22:08 -0500
OK, I did what you said and it appears that if a user installs the PFX into
their "personal" certificate store they are now recovery agents. The only
thing I don't like about the process is that the certificate still says
administrator, and the user is not listed under the recovery agents in the
security policies.
Is this the best it can be without a domain and an Enterprise CA? I'm not
really complaining, I was just hoping for a manageable list of recovery
agents.
Thanks,
Andrew
"Eduard Koller" <ek107129@hotmail.com> wrote in message
news:3cf7bbde$1@news.microsoft.com...
> Is your machine Win2k, or is it XP?
>
> - On win2k, you already have a EFS recovery certificate for the
> Administrator. You can export that certificate to a .PFX (including the
> key), then to a .CER (with no key). Give the .PFX file to any user, and
> after they install it, they will be able to decrypt the files.
> - On XP, you can use the command line tool cipher (with /R) to generate
an
> EFS recovery agent key and certificate. Then, you hand the PFX to the user
> to install it, and add the contents of the .CER to the EFS recovery
policy.
>
> Please let me know if this helps.
>
> Thanks,
>
> Eddy Koller
> Public Key Security QA Team
> Microsoft Corporation
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples, if any, are subject to the terms specified
> at http://www.microsoft.com/info/cpyright.htm
>
>
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples, if any, are subject to the terms specified
> at http://www.microsoft.com/info/cpyright.htm
> "Andrew" <foo@bar.com> wrote in message
news:O7H#EeMCCHA.1544@tkmsftngp02...
> > Has anyone had any luck or know how to add an EFS recovery agent on a
> > stand-alone machine. MS makes it sound easy, but doesn't go into detail
> > except for a domain model. If I try to add a recovery agent the wizard
> > prompts for an AD user or a cer file, but other users on the box don't
> have
> > this capacity in their certs.
> >
> > Enterprise CAs can issue this type of cert, but I think only to domain
> > accounts. I would like to add accounts other than the built in admin as
a
> > recovery agent but I am beginning to think it is not possible on a
stand
> > alone machine.
> >
> > Thanks for any help,
> >
> > Andrew
> >
> >
> >
> >
>
>
- Next message: Paul Adare: "Re: local administrator"
- Previous message: Robert Jenkin: "local administrator"
- In reply to: Eduard Koller: "Re: adding EFS Recovery agents"
- Next in thread: Eduard Koller [MS]: "Re: adding EFS Recovery agents - related question"
- Reply: Eduard Koller [MS]: "Re: adding EFS Recovery agents - related question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
