Re: Multiple Data Recovery Agents in EFS for Win2000

From: Steven L Umbach (n9rou_at_attbi.com)
Date: 05/03/03

• Next message: Steven L Umbach: "Re: Disable password caching (win 2000)"
• Previous message: Steven L Umbach: "Re: Map to share using certificate rather than login/password?"
• In reply to: David Elliott: "Multiple Data Recovery Agents in EFS for Win2000"
• Next in thread: David Elliott: "Re: Multiple Data Recovery Agents in EFS for Win2000"
• Reply: David Elliott: "Re: Multiple Data Recovery Agents in EFS for Win2000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 03 May 2003 01:49:32 GMT

           You say an NT domain. If you mean not a W2K domain then the efs
recovery agents can only be configured on local machine. Anyhow the file can
be decrypted by the recovery agents shown by efsinfo. However the recovery
agent needs to be logged into the computer and the recovery keys need to be
on that computer or available via a roaming profile. -- Steve

"David Elliott" <david.elliott@lifeway.com> wrote in message
news:015201c310eb$64d07d50$a501280a@phx.gbl...
> I am experimenting with using EFS on Win 2000 machines in
> an NT domain. I want to define multiple Data Recovery
> agents. efsinfo.exe (from Win2000 Resource Kit) gives me
> strange results; it lists multiple Recovery agents on the
> machine where the files are encrypted, but when I try to
> recover the data on another machine (which fails), efsinfo
> only lists one RDA.
>
> Setup is:
> ELIJAH: Win 2000 Server (SP2); where files are encrypted
> A00010072: Win 2000 Pro (SP2); data recovery workstation
>
> On Elijah, I have several Data Recovery Agents defined:
> delliot, delliot2, and administrator.
> I create and encrypt a file : delliot-file.txt logged on
> with userid: delliot
>
> efsinfo running on ELIJAH reports:
> delliot-file.txt: Encrypted
> Users who can decrypt:
> BSSB\DELLIOT (OU=EFS File Encryption Certificate,
> L=EFS, CN=DELLIOT)
> Certificate thumbprint: 6401 C9C3 0B23 56DB 57CD 4767
> 741A AF95 ED20 98FF
> Recovery Agents:
> Unknown (OU=EFS File Encryption Certificate, L=EFS,
> CN=DELLIOT)
> Certificate thumbprint: D07B 6092 1AF3 7962 1052 DDB5
> 5D42 9AF0 DD68 2B87
> Unknown (OU=EFS File Encryption Certificate, L=EFS,
> CN=Administrator)
> Certificate thumbprint: 9118 1F00 224C 034D FB8B E80B
> 364F 0542 3CEA 5352
> Unknown (CN=delliot2, OU=ITD/EA, O=LifeWay,
> L=Nashville, S=Tennessee, C=US)
> Certificate thumbprint: 45A5 CD90 2D88 E41A 7FE8 EDEA
> 0E00 80E2 0629 B1D9
>
> -------------
> I backup the delliot-file.txt and restore it on my
> recovery workstation A00010072 logged on as delliot2, one
> of the recovery agents. delliot2 cannot open the file:
> gets "Access denied" error.
>
> efsinfo on recovery workstation A00010072 reports:
> delliot-file.txt: Encrypted
> Users who can decrypt:
> BSSB\DELLIOT (OU=EFS File Encryption Certificate,
> L=EFS, CN=DELLIOT)
> Certificate thumbprint: 6401 C9C3 0B23 56DB 57CD 4767
> 741A AF95 ED20 98FF
> Recovery Agents:
> BSSB\DELLIOT (OU=EFS File Encryption Certificate,
> L=EFS, CN=DELLIOT)
> Certificate thumbprint: D07B 6092 1AF3 7962 1052 DDB5
> 5D42 9AF0 DD68 2B87
>
> delliot2 in no longer listed as a recovery agent! (hence
> cannot open the file).
>
> Why did the other recover agents "go away"? It appears
> that only the first recovery agent listed by Elijah is on
> the list reported at A0010072. Is only one RDA supported?
>
> One other difference I noted: delliot-file.txt has same
> modified date/time and Size (74 bytes) on both
> machines, but size on disk is 4,096 bytes on Elijah, but
> only 512 bytes on A0010072.
>
> Anybody have suggestions for making multiple DRAs work
> with WIN2000 machines in NT domain?

• Next message: Steven L Umbach: "Re: Disable password caching (win 2000)"
• Previous message: Steven L Umbach: "Re: Map to share using certificate rather than login/password?"
• In reply to: David Elliott: "Multiple Data Recovery Agents in EFS for Win2000"
• Next in thread: David Elliott: "Re: Multiple Data Recovery Agents in EFS for Win2000"
• Reply: David Elliott: "Re: Multiple Data Recovery Agents in EFS for Win2000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Multiple Data Recovery Agents in EFS for Win2000 ... I have the recovery agents and keys defined on each local ... >be decrypted by the recovery agents shown by efsinfo. ... >> that only the first recovery agent listed by Elijah is ... (microsoft.public.win2000.security) Re: encrypted windows 2000 folder problem. ... This is the return when I run efsinfo /r /u /c ... ebook: Encrypted ... Users who can decrypt: ... Recovery Agents: ... (microsoft.public.win2000.security) EFS Recovery Agent ... I am having a problem trying to decrypt information using a Recovery Agent. ... I have setup EFS using a GPO for the domain. ... accounts to be Recovery Agents for the domain, all of which are part of the ... When I use efsinfo /u /r on an encrypted file, ... (microsoft.public.win2000.security) Re: Decrypting an encrypted file ... The Recovery Agent needs to be designated in advance. ... You need your key to decrypt the data. ... > create keys, add Recovery Agents etc. and throw the file away? ... (microsoft.public.windowsxp.security_admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint