Re: Multiple Data Recovery Agents in EFS for Win2000

From: David Elliott (david.elliott_at_lifeway.com)
Date: 05/05/03 

Date: Mon, 5 May 2003 05:11:28 -0700

Thanks for responding.

I have the recovery agents and keys defined on each local
machine. Any idea why efsinfo gives different results for
same file on two different machines?

>-----Original Message-----
> You say an NT domain. If you mean not a W2K
domain then the efs
>recovery agents can only be configured on local machine.
Anyhow the file can
>be decrypted by the recovery agents shown by efsinfo.
However the recovery
>agent needs to be logged into the computer and the
recovery keys need to be
>on that computer or available via a roaming profile. --
Steve
>
>"David Elliott" <david.elliott@lifeway.com> wrote in
message
>news:015201c310eb$64d07d50$a501280a@phx.gbl...
>> I am experimenting with using EFS on Win 2000 machines
in
>> an NT domain. I want to define multiple Data Recovery
>> agents. efsinfo.exe (from Win2000 Resource Kit) gives
me
>> strange results; it lists multiple Recovery agents on
the
>> machine where the files are encrypted, but when I try to
>> recover the data on another machine (which fails),
efsinfo
>> only lists one RDA.
>>
>> Setup is:
>> ELIJAH: Win 2000 Server (SP2); where files are encrypted
>> A00010072: Win 2000 Pro (SP2); data recovery workstation
>>
>> On Elijah, I have several Data Recovery Agents defined:
>> delliot, delliot2, and administrator.
>> I create and encrypt a file : delliot-file.txt logged on
>> with userid: delliot
>>
>> efsinfo running on ELIJAH reports:
>> delliot-file.txt: Encrypted
>> Users who can decrypt:
>> BSSB\DELLIOT (OU=EFS File Encryption Certificate,
>> L=EFS, CN=DELLIOT)
>> Certificate thumbprint: 6401 C9C3 0B23 56DB 57CD
4767
>> 741A AF95 ED20 98FF
>> Recovery Agents:
>> Unknown (OU=EFS File Encryption Certificate, L=EFS,
>> CN=DELLIOT)
>> Certificate thumbprint: D07B 6092 1AF3 7962 1052
DDB5
>> 5D42 9AF0 DD68 2B87
>> Unknown (OU=EFS File Encryption Certificate, L=EFS,
>> CN=Administrator)
>> Certificate thumbprint: 9118 1F00 224C 034D FB8B
E80B
>> 364F 0542 3CEA 5352
>> Unknown (CN=delliot2, OU=ITD/EA, O=LifeWay,
>> L=Nashville, S=Tennessee, C=US)
>> Certificate thumbprint: 45A5 CD90 2D88 E41A 7FE8
EDEA
>> 0E00 80E2 0629 B1D9
>>
>> -------------
>> I backup the delliot-file.txt and restore it on my
>> recovery workstation A00010072 logged on as delliot2,
one
>> of the recovery agents. delliot2 cannot open the file:
>> gets "Access denied" error.
>>
>> efsinfo on recovery workstation A00010072 reports:
>> delliot-file.txt: Encrypted
>> Users who can decrypt:
>> BSSB\DELLIOT (OU=EFS File Encryption Certificate,
>> L=EFS, CN=DELLIOT)
>> Certificate thumbprint: 6401 C9C3 0B23 56DB 57CD
4767
>> 741A AF95 ED20 98FF
>> Recovery Agents:
>> BSSB\DELLIOT (OU=EFS File Encryption Certificate,
>> L=EFS, CN=DELLIOT)
>> Certificate thumbprint: D07B 6092 1AF3 7962 1052
DDB5
>> 5D42 9AF0 DD68 2B87
>>
>> delliot2 in no longer listed as a recovery agent! (hence
>> cannot open the file).
>>
>> Why did the other recover agents "go away"? It appears
>> that only the first recovery agent listed by Elijah is
on
>> the list reported at A0010072. Is only one RDA
supported?
>>
>> One other difference I noted: delliot-file.txt has same
>> modified date/time and Size (74 bytes) on both
>> machines, but size on disk is 4,096 bytes on Elijah, but
>> only 512 bytes on A0010072.
>>
>> Anybody have suggestions for making multiple DRAs work
>> with WIN2000 machines in NT domain?
>
>
>.
>

Relevant Pages

  • Re: Multiple Data Recovery Agents in EFS for Win2000
    ... recovery agents can only be configured on local machine. ... be decrypted by the recovery agents shown by efsinfo. ... > delliot, delliot2, and administrator. ... > Users who can decrypt: ...
    (microsoft.public.win2000.security)
  • Re: encrypted windows 2000 folder problem.
    ... This is the return when I run efsinfo /r /u /c ... ebook: Encrypted ... Users who can decrypt: ... Recovery Agents: ...
    (microsoft.public.win2000.security)
  • Re: efs file encryption
    ... recovery agents keys ... >Also if you have a full copy of your profile prior to ... >If you did not export your keys or the recovery agents ... >> data recovery is possible and there is no data loss in ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Decrypting an encrypted file
    ... The Recovery Agent needs to be designated in advance. ... You need your key to decrypt the data. ... > create keys, add Recovery Agents etc. and throw the file away? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encrypted files
    ... If you did not export either yours or the recovery agents certs and keys ... This posting is provided "AS IS" with no warranties, and confers no rights Please note I cannot respond to e-mailed questions. ... > But it's no good if you have lost all your data and not> had the chance to backup your files or exported your PFX> file. ...
    (microsoft.public.windowsxp.security_admin)