Re: adding EFS Recovery agents - related question

From: Eduard Koller [MS] (ek107129@hotmail.com)
Date: 05/31/02

Next message: Steven L Umbach: "Re: How to disable Internet Explorer"
Previous message: Billy: "Re: How to disable Internet Explorer"
In reply to: Andrew: "Re: adding EFS Recovery agents - related question"
Next in thread: D. Cross [MS]: "Re: adding EFS Recovery agents - related question"
Reply: D. Cross [MS]: "Re: adding EFS Recovery agents - related question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Eduard Koller [MS]" <ek107129@hotmail.com>
Date: Fri, 31 May 2002 14:35:05 -0700

The EFS recovery certificate is not really user-based, but rather machine
based. Basically, if a user has the private key, they can decrypt. If hey
haven't, they can't.

If you move to WinXp or .Net servers, you can use cipher /R to get an EFS
cert issued to the current user.

Eddy Koller
Public Key Security QA Team
Microsoft Corporation

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples, if any, are subject to the terms specified
at http://www.microsoft.com/info/cpyright.htm
"Andrew" <foo@bar.com> wrote in message news:uUKd#COCCHA.2072@tkmsftngp02...
> OK, I did what you said and it appears that if a user installs the PFX
into
> their "personal" certificate store they are now recovery agents. The only
> thing I don't like about the process is that the certificate still says
> administrator, and the user is not listed under the recovery agents in the
> security policies.
>
> Is this the best it can be without a domain and an Enterprise CA? I'm  not
> really complaining, I was just hoping for a manageable list of recovery
> agents.
>
> Thanks,
>
> Andrew
>
> "Eduard Koller" <ek107129@hotmail.com> wrote in message
> news:3cf7bbde$1@news.microsoft.com...
> > Is your machine Win2k, or is it XP?
> >
> >  - On win2k, you already have a EFS recovery certificate for the
> > Administrator. You can export that certificate to a .PFX (including the
> > key), then to a .CER (with no key). Give the .PFX file to any user, and
> > after they install it, they will be able to decrypt the files.
> >  - On XP, you can use the command line tool cipher (with /R) to generate
> an
> > EFS recovery agent key and certificate. Then, you hand the PFX to the
user
> > to install it, and add the contents of the .CER to the EFS recovery
> policy.
> >
> > Please let me know if this helps.
> >
> > Thanks,
> >
> > Eddy Koller
> > Public Key Security QA Team
> > Microsoft Corporation
> >
> > --
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples, if any, are subject to the terms
specified
> > at http://www.microsoft.com/info/cpyright.htm
> >
> >
> >
> > --
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples, if any, are subject to the terms
specified
> > at http://www.microsoft.com/info/cpyright.htm
> > "Andrew" <foo@bar.com> wrote in message
> news:O7H#EeMCCHA.1544@tkmsftngp02...
> > > Has anyone had any luck or know how to add an EFS recovery agent on a
> > > stand-alone machine. MS makes it sound easy, but doesn't go into
detail
> > > except for a domain model. If I try to add a recovery agent the wizard
> > > prompts for an AD user or a cer file, but other users on the box don't
> > have
> > > this capacity in their certs.
> > >
> > > Enterprise CAs can issue this type of cert, but I think only to domain
> > > accounts. I would like to add accounts other than the built in admin
as
> a
> > > recovery agent but I am beginning to think it is not possible on  a
> stand
> > > alone machine.
> > >
> > > Thanks for any help,
> > >
> > > Andrew
> > >
> > >
> > >
> > >
> >
> >
>
>

Next message: Steven L Umbach: "Re: How to disable Internet Explorer"
Previous message: Billy: "Re: How to disable Internet Explorer"
In reply to: Andrew: "Re: adding EFS Recovery agents - related question"
Next in thread: D. Cross [MS]: "Re: adding EFS Recovery agents - related question"
Reply: D. Cross [MS]: "Re: adding EFS Recovery agents - related question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How to add a domain user as a Data Recovery Agent
... Did you verify that the certificate issued to the user is indeed a Recovery ... I'm trying to figure out how to add a non-privileged, domain user account ... sure that the EFS Recovery Agent certificate template is published by my ...
(microsoft.public.windows.server.security)
Re: recovery agent keys/certs
... encrypted data otherwise you may be in trouble-- just ... >- After the new recovery agent is in place in group ... >> certificate for a recovery agent. ... >> Choose the 'Automatically Select The Certificate Store ...
(microsoft.public.windowsxp.security_admin)
Windows 2003 CA Server and Templates Do not work for EFS!
... Requirement is to have an EFS recovery certificate for the domain that has ... Create a policy for users designated as recovery agents by creating a group ...
(microsoft.public.security)
Re: EFS Recovery Agent
... You can use the cipher /R command on an XP Pro computer to generate a Recovery ... Agent certificate which would be the logged on user. ... associated with any EFS files. ... > to add a recovery agent using the Add Recovery Agent Wizard, ...
(microsoft.public.windows.server.security)
Re: adding EFS Recovery agents - related question
... This posting is provided "AS IS" with no warranties, and confers no rights. ... >> their "personal" certificate store they are now recovery agents. ... >>> EFS recovery agent key and certificate. ...
(microsoft.public.win2000.security)