Re: EFS recovery agent in Default Domain Policy with a self signed

You need to log into the account and use the Certificates utility
to import the private key into the account's private store.
All you have mentioned only made the public key available for
use when encrypting. The private key is needed in the account
in order to decrypt.

"Daniel Sorokins" <DanielSorokins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:9E2998C7-8DA6-47FC-BA95-88DF5E7EAA47@xxxxxxxxxxxxxxxx

I export key and certificate with cipher (using pss id 887414), then i
import this in domain GPO (efs recovert agents....) , also i import this
AD (user-certificates published).
but this not work (this user is unable to open o disable encrytion in
files), when gpo update computers, this user is defined in each file as
recovery, but when this user logon an try open the message is "access

If i create an certificate with MS CA, then this work OK.

"Roger Abell [MVP]" wrote:

To define the recovery agent one needs to indicate this in
group policy as you have stated. To use the capability the
cert's private key needs to be imported into the account,
which you have not state doing.


"Daniel Sorokins" <DanielSorokins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:216476ED-C9BB-482B-8B1A-E4DBB6E229A5@xxxxxxxxxxxxxxxx
I create a domain user EFSRecovery and apply Microsoft PSS ID 887414 for
create certificate for recovery.
Then, I add this certificate in default domain policy as EFS recovery
for domain.

With this solution is unable recovery files (in encripted files is
information about this certificate as recovery) but "access denied" is

If I create recovery certificate with microsoft CA work fine.

is this correct?, because I dont want install Microsoft CA.
Other solution is purchase a special certificate for domain recovery
and self-signed for my users.

thank for your help.