Re: Expired Recovery Agent EFS Cert

XP Pro of course may not need an RA to use EFS but if one is specified in GP
then maybe it will not work if the RA is invalid much like W2K works? If
that is the case then I would think the old RA should still be able to
recover files encrypted prior to it's expiration until files are also
updated with the new RA. --- Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23ll%23duG$FHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
> and after doing this hope that you do not need to recover
> a file that has not been touched since the change
>
> I believe that what happened here is not supposed to occur.
>
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:26SdnVLSsPI9XgreRVn-iQ@xxxxxxxxxxxxxx
>> Once you add the new certificate to the Group Policy where the EFS RA is
>> specified then the users on the computers should be able to use EFS again
>> one their Group Policy refreshes to show a valid certificate. You can run
>> gpupdate on the XP pro computers to speed up the propagation of Group
>> Policy otherwise it should take approximately 90 minutes for computers
>> already online. You can run rsop.msc on an XP Pro computer to see if the
>> change has propagated. Be sure to export a copy of the new RA certificate
>> AND private key to a password protected .pfx file on external media for
>> safe eping. --- Steve
>>
>>
>> "Jeffrey" <noemail@xxxxxxxxx> wrote in message
>> news:uUGhhf0%23FHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>> I am on a Windows 2000 domain where the Administrator account is set as
>>> the Recovery Agent at the domain level policy. The certificate recently
>>> expired for that account and some XP machines can no longer encrypt
>>> files or folders. When doing so they receive this error:
>>>
>>> "Recovery policy configured for this system contains invalid recovery
>>> certificate."
>>>
>>> I have done some looking, but I am still a little foggy on what steps I
>>> need to do to replace that certificate with a current one. It looks
>>> like I can run cipher /r to generate a recovery cert on an XP machine,
>>> import it into the Administrator's account using the Certificates MMC
>>> and then re-add Administrator to the policy as a recovery agent. After
>>> that it appears I can run cipher /u to update on the client machine to
>>> update it with the new info. Is that correct? Any steps or details I
>>> am leaving out?
>>>
>>> Thanks!
>>> Jeffrey
>>
>>
>
>


.

Relevant Pages

  • RE: Relative Security Provided by Cached Domain Credentials?
    ... So when a user logs on the w2k terminal using a smartcard + pin no (rather ... If it does then EFS ... profile currently logged on for the private certificate. ...
    (Focus-Microsoft)
  • RE: Relative Security Provided by Cached Domain Credentials?
    ... certificates assigned to them, with each certificate having a set number ... smart card management tools which provide private key archival for smart ... AND the cert is also valid for EFS, they likely would be able to do ... What you probably could get to work for local file encryption, ...
    (Focus-Microsoft)
  • Re: EFS Disabling
    ... >> I had to reinstall XP on a computer and so I copied my EFS ... They have the same account names ... > You must have exported your EFS security certificate (onto a floppy ... > claiming that if you included your profile in your backups that there ...
    (microsoft.public.security)
  • Re: EFS Errors
    ... Disabling DFS can disrupt your Group Policy propagation which may be causing ... your EFS errors if you have changed your Recovery Agent Certificate. ... I am able to encrypt on the server but noone is able to encrypt ...
    (microsoft.public.security)
  • Re: How to decrypt EFS-protected restored files?
    ... It is my understanding that some backup programs do not backup efs files ... I export my EFS certificate to a floppy. ... > describes the steps in restoring EFS-protected files, the order of importing ...
    (microsoft.public.security)