Re: Cannot get EFS recovery agent function to work!

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 03/22/05 

Date: Tue, 22 Mar 2005 10:49:05 -0600

Yes the thumbprints need to match for either the user or Recovery Agent. If
you have a stand alone computer and the RA is the built in administrator
account [which it would be by default] then logon as that account and try to
decrypt the files. The utility efsinfo can display information on the
recovery agent. You can use the certificates mmc snapin for user to view
certificate information and the certificate will need to show that it has
the matching private key for the certificate. If you reinstalled the
operating system [other than an upgrade install] at some point the original
user and RA certificate/private key would have been destroyed. The EFS
certificate and private key for a user/RA are stored in the user's/RA's
profile folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS best
practices

"kgstrong" <kgstrong@hotmail.com> wrote in message
news:OnbX28sLFHA.2988@TK2MSFTNGP14.phx.gbl...
>
> I'm new to Windows 2000, running Win2k Pro on a stand-alone machine. I
> encrypted some files before I knew anything about EFS - now a program that
> uses some of the files cannot access them. The files were encrypted under
> my "power user" account. The certificate that Win2k used to encrypt them
> is enabled for "All Purposes" including Encrypted File System, and File
> Recovery. As Administrator, I cannot import this certificate for the
> Recovery Agent - says it is not enabled for file recovery.
>
> My Recovery Agent certificate (issued by Administrator to Administrator,
> has a different thumbprint and is for File Recovery only.
>
> Does EFS recovery agent's certificate thumbprint have to match the
> certificate the files were encrypted with in order to recover these files?
>
> Ken

Relevant Pages

  • Re: recovery agent keys/certs
    ... encrypted data otherwise you may be in trouble-- just ... >- After the new recovery agent is in place in group ... >> certificate for a recovery agent. ... >> Choose the 'Automatically Select The Certificate Store ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Recovery Agent
    ... You can use the cipher /R command on an XP Pro computer to generate a Recovery ... Agent certificate which would be the logged on user. ... associated with any EFS files. ... > to add a recovery agent using the Add Recovery Agent Wizard, ...
    (microsoft.public.windows.server.security)
  • Re: How to add a domain user as a Data Recovery Agent
    ... Did you verify that the certificate issued to the user is indeed a Recovery ... I'm trying to figure out how to add a non-privileged, domain user account ... sure that the EFS Recovery Agent certificate template is published by my ...
    (microsoft.public.windows.server.security)
  • Re: Data Recovery Agent
    ... "The file contains no certificates suitable for EFS Recovery. ... >> Also, my current user account is already an Administrator, so is it still ... >>> make your administrator a recovery agent or you can create a new user ... >>> administrator has a certificate that will enable him EFS function. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Recovery Agent
    ... I used to Cipher to generate a recovery certificate on my PC. ... I edited my default domain policy adding myself as a recovery agent, ...
    (microsoft.public.windows.server.security)