Re: Expired Recovery Agent EFS Cert

and after doing this hope that you do not need to recover
a file that has not been touched since the change

I believe that what happened here is not supposed to occur.


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:26SdnVLSsPI9XgreRVn-iQ@xxxxxxxxxxxxxx
> Once you add the new certificate to the Group Policy where the EFS RA is
> specified then the users on the computers should be able to use EFS again
> one their Group Policy refreshes to show a valid certificate. You can run
> gpupdate on the XP pro computers to speed up the propagation of Group
> Policy otherwise it should take approximately 90 minutes for computers
> already online. You can run rsop.msc on an XP Pro computer to see if the
> change has propagated. Be sure to export a copy of the new RA certificate
> AND private key to a password protected .pfx file on external media for
> safe eping. --- Steve
>
>
> "Jeffrey" <noemail@xxxxxxxxx> wrote in message
> news:uUGhhf0%23FHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
>>
>> I am on a Windows 2000 domain where the Administrator account is set as
>> the Recovery Agent at the domain level policy. The certificate recently
>> expired for that account and some XP machines can no longer encrypt files
>> or folders. When doing so they receive this error:
>>
>> "Recovery policy configured for this system contains invalid recovery
>> certificate."
>>
>> I have done some looking, but I am still a little foggy on what steps I
>> need to do to replace that certificate with a current one. It looks like
>> I can run cipher /r to generate a recovery cert on an XP machine, import
>> it into the Administrator's account using the Certificates MMC and then
>> re-add Administrator to the policy as a recovery agent. After that it
>> appears I can run cipher /u to update on the client machine to update it
>> with the new info. Is that correct? Any steps or details I am leaving
>> out?
>>
>> Thanks!
>> Jeffrey
>
>


.

Relevant Pages

  • Re: Can no longer encrypt files
    ... The recovery policy as seen by the XP machine is bad. ... > and recovery agent's certificate. ... > This was working fine until the account password expired and was changed. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Encrypting files on Windows XP: No Way
    ... It sounds like the File Recovery certificate that is installed in your ... Configuration policy all the way to the Encrypting File System node. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: problems with creating a Recovery Agent
    ... in local security policy you indicate that there is a recovery ... > via a router, but not running active directory (that I know of, I don't ... > personal certificate, even get as far as exporting it to a .cer file, then ...
    (microsoft.public.windowsxp.security_admin)
  • EFS precautions
    ... I am a bit concerned about the recovery policy, ... Data Recovery Agent certificate to a floppy (well I think that it's the DRA ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to add a domain user as a Data Recovery Agent
    ... Did you verify that the certificate issued to the user is indeed a Recovery ... I'm trying to figure out how to add a non-privileged, domain user account ... sure that the EFS Recovery Agent certificate template is published by my ...
    (microsoft.public.windows.server.security)