Re: EFS - setting up Recovery Agent

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/29/05

  • Next message: Crappy: "Circumvent entering password on a locked machine!"
    Date: Tue, 29 Mar 2005 00:49:39 -0700
    
    

    Your situation is a little unusual, so I hope D Cross picks up
    your posting. As I replied to your prior thread, the reference
    for EFS is
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    although this is W2k3 specific now.

    One thing I do not understand is how the DRA EFS cert is
    expired as the default is to create it to be valid for 100 years.

    On your 2), that would be how to get things working, but I am
    concerned that this would invalidate recovery of earlier encrypted
    files (such as on backups) until they are re-encryped/touched by
    their owners.

    -- 
    Roger Abell
    Microsoft MVP (Windows  Security)
    MCSE (W2k3,W2k,Nt4)  MCDBA
    "barabba" <barabba72@hotmail.com> wrote in message
    news:8ec33ba5.0503280952.3b81cff7@posting.google.com...
    > Hi all,
    >
    > I have another question re the EFS Recovery Agent.
    >
    > I need to use EFS in a specific server that belongs to a Windows 2k
    > domain. This domain (which uses a PKI - users logon to their XP
    > stations using smart cards)has an EFS policy using the default domain
    > administrator (Administrator).
    >
    > Unfortunately, when I tried as a test to encrypt a file the system
    > denies to do so. Upon investigating, I found out that the
    > Administrator certificate for EFS purposes has already expired.
    >
    > My questions at this point are:
    >
    > 1- can I define a local EFS policy for that particular server, using
    > cipher.exe utility allowing me to bypass the domain policy ?
    >
    > 2- how should I proceed in order to renew the expired certificate in
    > order to "repair" the domain wide EFS policy ? In my opinion, I should
    > proceed as follows but I would like a confirmation from someone how is
    > more knowlegeable about this issue:
    >
    > a- setup in AD a domain account to be designated as Recovery Agent (or
    > use an existing one)
    > b- logon to a workstation using this account
    > c- create recovery key pair using cypher /r
    > d- import the certificate into the account's personal store (should I
    > select the .cer file or the pfx file ?)
    > e- add the recovery agent in the domain EFS policy
    >
    > Thank you very much for your time !
    > Bar
    

  • Next message: Crappy: "Circumvent entering password on a locked machine!"

    Relevant Pages

    • Re: decrypting a file question
      ... I seem to have all profiles. ... > profile of the user account that encrypted the file and the Recovery Agent ... The EFS or Recovery Agent ... > certificate needs to show that "you have the private key that corresponds ...
      (microsoft.public.win2000.security)
    • Re: EFS - setting up Recovery Agent
      ... > 100 years must be for a self signed certificate?? ... >> One thing I do not understand is how the DRA EFS cert is ... >>> I have another question re the EFS Recovery Agent. ... >>> stations using smart cards)has an EFS policy using the default domain ...
      (microsoft.public.win2000.security)
    • Re: decrypting a file question
      ... EFS has a way of biting people when it comes to accessing their own files. ... The EFS "private" key that is used to decrypt files is stored in the user ... profile of the user account that encrypted the file and the Recovery Agent ... certificate needs to show that "you have the private key that corresponds ...
      (microsoft.public.win2000.security)
    • Re: EFS - setting up Recovery Agent
      ... If you are sure about the integrity of the EFS Recovery Agents private key, ... > I have another question re the EFS Recovery Agent. ... > Administrator certificate for EFS purposes has already expired. ...
      (microsoft.public.win2000.security)
    • Re: WIN2000 Encrypted Folders & Administrator Profile
      ... Many thanks for your invaluable help. ... >> you may be able to recover the EFS files. ... >> profile of the user and Recovery Agent for those files. ... without exported private keys to ...
      (microsoft.public.win2000.security)