Re: EFS - setting up Recovery Agent
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: Tue, 29 Mar 2005 00:49:39 -0700
Your situation is a little unusual, so I hope D Cross picks up
your posting. As I replied to your prior thread, the reference
for EFS is
although this is W2k3 specific now.
One thing I do not understand is how the DRA EFS cert is
expired as the default is to create it to be valid for 100 years.
On your 2), that would be how to get things working, but I am
concerned that this would invalidate recovery of earlier encrypted
files (such as on backups) until they are re-encryped/touched by
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "barabba" <email@example.com> wrote in message news:firstname.lastname@example.org... > Hi all, > > I have another question re the EFS Recovery Agent. > > I need to use EFS in a specific server that belongs to a Windows 2k > domain. This domain (which uses a PKI - users logon to their XP > stations using smart cards)has an EFS policy using the default domain > administrator (Administrator). > > Unfortunately, when I tried as a test to encrypt a file the system > denies to do so. Upon investigating, I found out that the > Administrator certificate for EFS purposes has already expired. > > My questions at this point are: > > 1- can I define a local EFS policy for that particular server, using > cipher.exe utility allowing me to bypass the domain policy ? > > 2- how should I proceed in order to renew the expired certificate in > order to "repair" the domain wide EFS policy ? In my opinion, I should > proceed as follows but I would like a confirmation from someone how is > more knowlegeable about this issue: > > a- setup in AD a domain account to be designated as Recovery Agent (or > use an existing one) > b- logon to a workstation using this account > c- create recovery key pair using cypher /r > d- import the certificate into the account's personal store (should I > select the .cer file or the pfx file ?) > e- add the recovery agent in the domain EFS policy > > Thank you very much for your time ! > Bar