Re: bug with efs on server 2003


"Goldorak-Go" <Goldorak-Go@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:6DC969F8-18AB-429C-AD2E-B6BD48E377AC@xxxxxxxxxxxxxxxx
I can speek French or English.
My trouble is the following.

I want to use efs on my domain, so I'have created an efs self-signed
certificate for a recovery agent for the domain with the command Cipher /r.
This efs self-signed certificate is valid for 100 years.
I have imported this certificate in the policy of the domain and replicated
the policy with the "Active directory site and services" snap-in.

Now I want to encrypt a folder on a member server. Before doing that I have
just forced this server to apply the domain policy by typing the command
GPUPDATE /force and rebooted the server.

This is good, you have applied the recovery policy then.

I have created a user wich is called "BABY" on the domain. This user will
serve to encrypt my folder.
So when I encrypt the folder a new certificate and a private key are created
for this user.

[bk] As expected. SInce you do not mention a PKI, I have to assume it is self-signed.

I don't want the private key to stay on the local server, so I have exported
the certificate and the private key together in a *.PFX file and I've ask to
delete the private key localy during this export.

[bk] Big mistake. Since you have removed the certificate, the next encryption attempt will generate a new certificate. Also, the user has lost access to the previously encrypted file.

Now there is only the certificate of the user "BABY" profile on the local
machine. The private key has been removed as expected.

[bk] Mistake.,

My problem is the following: when I add a new file to the existing encrypted
directory, the user "BABY" get a new certificate and a new private key.
I try to think that this behaviour is not normal.
Can someone help me please ???
[bk] This is expected. How did you expect EFS to protect the new FEK created for the newly encrypted file.
Please read the whitepaper on how EFS works available at

My infrastructure is based on Windows server 2003 R2 standard edition. I
have not updated the servers for the moment with any patches.

thanks a lot ....