Re: EFS recovery agent in Default Domain Policy with a self signed

You need to log into the account and use the Certificates utility
to import the private key into the account's private store.
All you have mentioned only made the public key available for
use when encrypting. The private key is needed in the account
in order to decrypt.

"Daniel Sorokins" <DanielSorokins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:9E2998C7-8DA6-47FC-BA95-88DF5E7EAA47@xxxxxxxxxxxxxxxx

I export key and certificate with cipher (using pss id 887414), then i
import this in domain GPO (efs recovert agents....) , also i import this
AD (user-certificates published).
but this not work (this user is unable to open o disable encrytion in
files), when gpo update computers, this user is defined in each file as
recovery, but when this user logon an try open the message is "access

If i create an certificate with MS CA, then this work OK.

"Roger Abell [MVP]" wrote:

To define the recovery agent one needs to indicate this in
group policy as you have stated. To use the capability the
cert's private key needs to be imported into the account,
which you have not state doing.


"Daniel Sorokins" <DanielSorokins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:216476ED-C9BB-482B-8B1A-E4DBB6E229A5@xxxxxxxxxxxxxxxx
I create a domain user EFSRecovery and apply Microsoft PSS ID 887414 for
create certificate for recovery.
Then, I add this certificate in default domain policy as EFS recovery
for domain.

With this solution is unable recovery files (in encripted files is
information about this certificate as recovery) but "access denied" is

If I create recovery certificate with microsoft CA work fine.

is this correct?, because I dont want install Microsoft CA.
Other solution is purchase a special certificate for domain recovery
and self-signed for my users.

thank for your help.


Relevant Pages

  • Re: Lost EFS Recovery Key for local admin
    ... I found I could get a File Recovery ... the certificate will be there. ... Fixing that allowed the built in Administrator to get a ... Along the way I created separate account called 'recovery' ...
  • Re: Can a Windows service find a certificate ?
    ... If you wish to use a certificate and its corresponding private key you will ... the service account). ... Or beter: Which user can install ...
  • Re: EFS Recovery Agent
    ... It's a failed account lookup. ... Their certificate also needs to be a recovery certificate as ...
  • Re: How to add a domain user as a Data Recovery Agent
    ... Did you verify that the certificate issued to the user is indeed a Recovery ... I'm trying to figure out how to add a non-privileged, domain user account ... sure that the EFS Recovery Agent certificate template is published by my ...
  • Re: EFS encrypt files: Changed PW now cant access... :-(
    ... Assuming the EFS certificate AND private key are in the user's profile you ... need to change the user account password back to what it was before they ...