EFS - setting up Recovery Agent

From: barabba (barabba72_at_hotmail.com)
Date: 03/28/05

• Next message: Brian: "Allow saves and reads but not edits"
• Previous message: mrt1: "Active desktop recovery and pop ups"
• Next in thread: Roger Abell: "Re: EFS - setting up Recovery Agent"
• Reply: Roger Abell: "Re: EFS - setting up Recovery Agent"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Mar 2005 09:52:30 -0800

Hi all,

I have another question re the EFS Recovery Agent.

I need to use EFS in a specific server that belongs to a Windows 2k
domain. This domain (which uses a PKI - users logon to their XP
stations using smart cards)has an EFS policy using the default domain
administrator (Administrator).

Unfortunately, when I tried as a test to encrypt a file the system
denies to do so. Upon investigating, I found out that the
Administrator certificate for EFS purposes has already expired.

My questions at this point are:

1- can I define a local EFS policy for that particular server, using
cipher.exe utility allowing me to bypass the domain policy ?

2- how should I proceed in order to renew the expired certificate in
order to "repair" the domain wide EFS policy ? In my opinion, I should
proceed as follows but I would like a confirmation from someone how is
more knowlegeable about this issue:

a- setup in AD a domain account to be designated as Recovery Agent (or
use an existing one)
b- logon to a workstation using this account
c- create recovery key pair using cypher /r
d- import the certificate into the account's personal store (should I
select the .cer file or the pfx file ?)
e- add the recovery agent in the domain EFS policy

Thank you very much for your time !
Bar

• Next message: Brian: "Allow saves and reads but not edits"
• Previous message: mrt1: "Active desktop recovery and pop ups"
• Next in thread: Roger Abell: "Re: EFS - setting up Recovery Agent"
• Reply: Roger Abell: "Re: EFS - setting up Recovery Agent"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: EFS - setting up Recovery Agent ... > 100 years must be for a self signed certificate?? ... >> One thing I do not understand is how the DRA EFS cert is ... >>> I have another question re the EFS Recovery Agent. ... >>> stations using smart cards)has an EFS policy using the default domain ... (microsoft.public.win2000.security) Re: WIN2000 Encrypted Folders & Administrator Profile ... Many thanks for your invaluable help. ... >> you may be able to recover the EFS files. ... >> profile of the user and Recovery Agent for those files. ... without exported private keys to ... (microsoft.public.win2000.security) Re: EFS on shared file server ... GIving the recovery agent certificate and private key to users is about the worst/stupidest (seriously, give away the ability to open *any* EFS encrypted files!!!!) idea I have seen in some time. ... Now, with Windows Vista and WIndows Server 2008, the behavior of EFS changes. ... (microsoft.public.windows.server.security) Re: EFS on shared file server ... I need to use EFS on a shared folder of my file server. ... For grant access to many people to the file in folder I have created many EFS Recovery Agent. ... Is possible store the User Certificate for EFS on AD so if one user logon on different computer can always access encrypeted file? ... (microsoft.public.windows.server.security) Re: EFS on shared file server ... GIving the recovery agent certificate and private key to users is about the worst/stupidest (seriously, give away the ability to open *any* EFS encrypted files!!!!) idea I have seen in some time. ... Now, with Windows Vista and WIndows Server 2008, the behavior of EFS changes. ... Is possible store the User Certificate for EFS on AD so if one user logon on different computer can always access encrypeted file? ... (microsoft.public.windows.server.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint