Re: How to add EFS data recovery agents on Windows 2000 workgroup server
From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 05/10/04
- Previous message: Ed: "locked out"
- In reply to: Klaus: "Re: How to add EFS data recovery agents on Windows 2000 workgroup server"
- Next in thread: Steven L Umbach: "Re: How to add EFS data recovery agents on Windows 2000 workgroup server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 May 2004 03:26:31 GMT
I have tried using that procedure and had to reboot before the new RA woud
work and you may need to follow the instuctions on deleteing the current RA
from the Local Security Policy. My experience with using regsvr32
sclgntfy.dll to regenerate a Recovery Agent in W2K is that it will only work
on the built in administrator account even if you logon as a different user
to try it. I found if I first export the original RA certificate and private
key to a .pfx file first [selecting delete private key during export] and
then delete the certificate from the personal certificate store, I can then
generate the new RA for administrator and it is automatically added to Local
Security Policy as RA [reboot may be needed]. Then I could go back and
import the original certificate/private key from the .pfx file. After that I
could export the certificate only to a .cer file and also add it to the
Local Security Policy as an RA via "add" and select folder where the
certificate was exported to. Then there would be two RA certificates, but
both for the built in administrator account.
Personally I would rather install the Certificate Authority on your server
and use it to generate RA certificates as it is really not hard to do or
experimenting with a RA certificate generated on an XP Pro box using the
cipher /r command as Drew Cooper suggested. --- Steve
"Klaus" <kdpdel@telus.net> wrote in message
news:93de0f5c.0405091706.27ebac84@posting.google.com...
> Steve, sorry to respond late (I was away for a while). I tried to
> re-register the RA using http://support.microsoft.com/?kbid=257705 but
> it did not work for me as outlined.
>
> Had no problem with the following the instructions but after I
> completed all the steps and logged on with new recovery agent I
> noticed that I no longer could encrypt files (got message "there is no
> valid encryption recovery policy configured for this system).
>
> When I checked the server's local security settings, there was no
> Recovery Agent defind under folders Public Key Policies > Encrypted
> File System
>
> I even tried to logon with the original RA (administrator) to see if
> this would recreate the original recovery agent but no luck either.
>
> Any quick idea or should I lean with going with Windows 2003, which
> seems to have more EFS options/flexibility ?
>
>
>
>
> "Steven L Umbach" <sumbach@N0spam.ameritech.net> wrote in message
news:<uHD1FfJKEHA.4032@TK2MSFTNGP10.phx.gbl>...
> > I know you can replace the existing RA, bit I don't think you can add
> > another one without a Certificate Authority which is why you are having
the
> > difficulty you are. W2K server has the capabilty to become a CA in
> > add/remove windows components. You might try adding another one as
described
> > in how to replace an existing one in the KB link but I would be very
careful
> > and use efsinfo to view the results. --- Steve
> >
> > http://support.microsoft.com/?kbid=257705
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243026 ---
efsinfo.
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 ---
anyone
> > using EFS should read this.
> >
> > "Klaus" <kdpdel@telus.net> wrote in message
> > news:93de0f5c.0404220913.afbefbb@posting.google.com...
> > > Looking for information to add a 2nd EFS recovery agent
> > > (non-administrator account) to a Windows 2000 standalone server.
> > >
> > > Having troubles creating a valid .cer file in Windows 2000, that is
> > > required when running the W2K recovery agent wizard via MMC Local
> > > group policy interface (local computer policy > windows settings >
> > > security settings > public key policies > encrypted data recovery
> > > agent).
> > >
> > > Is there an equivalant "cipher /r" (used in windows 2003) command that
> > > I can use in Windows 2000 to create a .cer file ?
> > >
> > > Using the MMC Certificate snapin (certificate - current user >
> > > personal > certificates)to export a certificate to a .cer file, while
> > > logged into server with account to be used for 2nd recovery agent
> > > user, did not produce a .cer file that was accepted.
- Previous message: Ed: "locked out"
- In reply to: Klaus: "Re: How to add EFS data recovery agents on Windows 2000 workgroup server"
- Next in thread: Steven L Umbach: "Re: How to add EFS data recovery agents on Windows 2000 workgroup server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
