Re: Expired Recovery Agent EFS Cert

Hmmm . . . interesting idea, as I now hear you, describing
the defining of a new DRA, not just a new cert of the one
original DRA. I would like to hear David Cross' take on
scenarios whereby the RA cert is able to expire/not renew.

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23uiacfI$FHA.2324@xxxxxxxxxxxxxxxxxxxxxxx
> XP Pro of course may not need an RA to use EFS but if one is specified in
> GP then maybe it will not work if the RA is invalid much like W2K works?
> If that is the case then I would think the old RA should still be able to
> recover files encrypted prior to it's expiration until files are also
> updated with the new RA. --- Steve
>
>
> "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
> news:%23ll%23duG$FHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
>> and after doing this hope that you do not need to recover
>> a file that has not been touched since the change
>>
>> I believe that what happened here is not supposed to occur.
>>
>>
>> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:26SdnVLSsPI9XgreRVn-iQ@xxxxxxxxxxxxxx
>>> Once you add the new certificate to the Group Policy where the EFS RA is
>>> specified then the users on the computers should be able to use EFS
>>> again one their Group Policy refreshes to show a valid certificate. You
>>> can run gpupdate on the XP pro computers to speed up the propagation of
>>> Group Policy otherwise it should take approximately 90 minutes for
>>> computers already online. You can run rsop.msc on an XP Pro computer to
>>> see if the change has propagated. Be sure to export a copy of the new RA
>>> certificate AND private key to a password protected .pfx file on
>>> external media for safe eping. --- Steve
>>>
>>>
>>> "Jeffrey" <noemail@xxxxxxxxx> wrote in message
>>> news:uUGhhf0%23FHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>> I am on a Windows 2000 domain where the Administrator account is set as
>>>> the Recovery Agent at the domain level policy. The certificate
>>>> recently expired for that account and some XP machines can no longer
>>>> encrypt files or folders. When doing so they receive this error:
>>>>
>>>> "Recovery policy configured for this system contains invalid recovery
>>>> certificate."
>>>>
>>>> I have done some looking, but I am still a little foggy on what steps I
>>>> need to do to replace that certificate with a current one. It looks
>>>> like I can run cipher /r to generate a recovery cert on an XP machine,
>>>> import it into the Administrator's account using the Certificates MMC
>>>> and then re-add Administrator to the policy as a recovery agent. After
>>>> that it appears I can run cipher /u to update on the client machine to
>>>> update it with the new info. Is that correct? Any steps or details I
>>>> am leaving out?
>>>>
>>>> Thanks!
>>>> Jeffrey
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Taking Ownership of Roaming Profile Folders
    ... There is a free Resource Kit called diruse that may help available in the ... controllers are all Windows 2000 and you have XP Pro computers in the domain ... you can take advantage of the extra Group Policy settings for XP Pro ... --- Steve ...
    (microsoft.public.win2000.security)
  • Re: ?Quick Question on Group Policy with XP
    ... Group Policy in a Windows 2000 domain per the link below in order to be able ... to manage the extra settings that apply to XP Pro computers. ... > Hi, Dan: ... > Additionally, if you want to use the Remote Assitance feature, you can ...
    (microsoft.public.windows.group_policy)
  • Re: Win XP logon optimization and Group Policy
    ... advantage of the extra Group Policy settings available to XP Pro computers. ... I have configured Software Installation through Group Policy ... and it works fine except the clients have to reboot twice (because of the logon ... that would require me "touching" every client on the network. ...
    (microsoft.public.win2000.group_policy)