Re: Expired Recovery Agent EFS Cert

Once you add the new certificate to the Group Policy where the EFS RA is
specified then the users on the computers should be able to use EFS again
one their Group Policy refreshes to show a valid certificate. You can run
gpupdate on the XP pro computers to speed up the propagation of Group Policy
otherwise it should take approximately 90 minutes for computers already
online. You can run rsop.msc on an XP Pro computer to see if the change has
propagated. Be sure to export a copy of the new RA certificate AND private
key to a password protected .pfx file on external media for safe
eping. --- Steve


"Jeffrey" <noemail@xxxxxxxxx> wrote in message
news:uUGhhf0%23FHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
>
> I am on a Windows 2000 domain where the Administrator account is set as
> the Recovery Agent at the domain level policy. The certificate recently
> expired for that account and some XP machines can no longer encrypt files
> or folders. When doing so they receive this error:
>
> "Recovery policy configured for this system contains invalid recovery
> certificate."
>
> I have done some looking, but I am still a little foggy on what steps I
> need to do to replace that certificate with a current one. It looks like
> I can run cipher /r to generate a recovery cert on an XP machine, import
> it into the Administrator's account using the Certificates MMC and then
> re-add Administrator to the policy as a recovery agent. After that it
> appears I can run cipher /u to update on the client machine to update it
> with the new info. Is that correct? Any steps or details I am leaving
> out?
>
> Thanks!
> Jeffrey


.

Relevant Pages

  • Re: How to add a domain user as a Data Recovery Agent
    ... Is this happening to a particular domain computer or numerous ones? ... OU that is a child OU to the domain OU, create a new Group Policy and link ... usage is shown as File Recovery and certificate path show it's OK. ...
    (microsoft.public.windows.server.security)
  • Re: EFS Errors
    ... Disabling DFS can disrupt your Group Policy propagation which may be causing ... your EFS errors if you have changed your Recovery Agent Certificate. ... I am able to encrypt on the server but noone is able to encrypt ...
    (microsoft.public.security)
  • Re: EFS Errors
    ... > domain computers but there is a KB article that refers to the errors you are ... > your EFS errors if you have changed your Recovery Agent Certificate. ... > prevent Group Policy from working correctly. ...
    (microsoft.public.security)
  • Re: Deploying Certificates Through Group Policy
    ... >Subject: Re: Deploying Certificates Through Group Policy ... >after i select computer certificate instead of being asked to select a CA ... >> I understand that you created Automatic Certificate Request by Group ... >> computers in a domain or organizational unit to automatically enroll for ...
    (microsoft.public.windows.server.sbs)
  • Re: Cert Server - Changed Enterprise CA
    ... So as per the Instructions I added an IPSec Cert Template and added that to ... the Default Group Policy. ... 323342 How to install a certificate for use with IP Security in Windows ...
    (microsoft.public.win2000.active_directory)