Re: EFS Recovery Agent

From: Steven Bellamy (nospam_at_nospam.com)
Date: 02/23/04


Date: Mon, 23 Feb 2004 08:28:11 -0000

Hi,

Thanks for all the feed back guys.
I managed to resolve the problem.
I was encrypting the files on a WinXP SP1 workstation, and trying to decrypt
on our W2K Adv Server.
The following KB Article helped resolve the problem, by setting XP to
encrypt data using the DESX algorithm (instead of the default AES_256
Algorithm which is understood by XP SP1 or later) I was able to remove the
encryption on the encrypted files using a RA.
 http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

Thanks once again!

"Steven Bellamy" <nospam@nospam.com> wrote in message
news:el%23eTt89DHA.4080@tk2msftngp13.phx.gbl...
> Hi,
>
> I am having a problem trying to decrypt information using a Recovery
Agent.
>
> We're running a W2K Adv Server SP3 in mixed mode.
>
> I have setup EFS using a GPO for the domain. I have specified 3 user
> accounts to be Recovery Agents for the domain, all of which are part of
the
> admin group.
> I used the Wizard to add or create the RA's, I did not import any
> certificates.
>
> When I use efsinfo /u /r on an encrypted file, I get the following info.
>
> test.txt: Encrypted
> Users who can decrypt:
> ABCDOMAIN\user (user(user@abcdomain.com))
> Recovery Agents:
> Unknown (RA1(ra1@abcdomain.com))
> Unknown (RA2(ra2@abcdomain.com))
> Unknown (RA3(ra3@abcdomain.com))
>
> Does anyone know why the RA's have a domain of Unknown?
> Is this possibly why I can't decrypt a file on a PC that has a recovery
> agent certificate installed?
>
> Thanks for your help!
>
>