Re: EFS Recovery Agent
From: Lee (lee_at_nowehere.com)
Date: 02/23/05
- Next message: Rob McShinsky: "Certificate Web Enrollment Options Defaults?"
- Previous message: Curtis Koenig [MSFT]: "RE: EFS Recovery Agent"
- In reply to: Curtis Koenig [MSFT]: "RE: EFS Recovery Agent"
- Next in thread: Steven Umbach: "Re: EFS Recovery Agent"
- Reply: Steven Umbach: "Re: EFS Recovery Agent"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Feb 2005 18:11:01 -0000
Curtis,
thanks for your reply, I had followed that document, however, when I try
to add a recovery agent using the Add Recovery Agent Wizard, it tells me
that "the selected user has no certificates suitable for EFS Recovery and
cannot be selected as a recovery agent.
So, I guess my question is, how do I create an EFS Recovery certificate for
my user that I want to be a recovery agent
TIA
Lee
"Curtis Koenig [MSFT]" <curtisko@online.microsoft.com> wrote in message
news:fM5xOGdGFHA.1140@TK2MSFTNGXA02.phx.gbl...
> The help file for Windows XP has a good set of steps for how to specify a
> recovery agent:
>
> <<<<<<<<<<<<<>>>>>>>>>>>>>>
> To add a recovery agent for a domain
> Open Active Directory Users and Computers.
> Right-click the domain whose recovery policy you want to change, and then
> click Properties.
> Click the Group Policy tab.
> Right-click the recovery policy you want to change, and then click Edit.
> In the console tree, click Encrypted Data Recovery Agents.
> Where?
>
> Computer Configuration
> Windows Settings
> Security Settings
> Public Key Policies
> Encrypted Data Recovery Agents
> In the details pane, right-click, then click Add, and follow the
> instructions.
> Notes
>
> You must be logged on as an administrator or a member of the
> Administrators
> group in order to complete this procedure. If your computer is connected
> to
> a network, network policy settings might also prevent you from completing
> this procedure.
> To start Active Directory Users and Computers, open a Remote Desktop
> Connection to either a Windows 2000 domain controller or a member server
> that has Windows 2000 Administration Tools installed. You must log on to
> the server as a domain administrator in order to complete this procedure.
> This operation can be performed on any sites, domains or organizational
> units within an Active Directory forest.
> Adding a recovery agent from a file identifies the user as USER_UNKNOWN.
> This is because the name is not stored in the file.
> Before you can add or create a recovery agent, you must configure Group
> Policy on your computer. For more information about using Group Policy,
> see
> Related Topics.
> <<<<<<<<<<<<<>>>>>>>>>>>>>>
>
> I would also suggest the following KB
>
> 223316 Best practices for the Encrypting File System
> http://support.microsoft.com/?id=223316
> --
> Curtis Koenig
> Security Support Engineer
> Product Support Services, Security Team
> MCSE, MCSES, CISSP
>
> This posting is provided "AS IS" with no warranties and confers no rights.
> Please reply to the newsgroup so that others may benefit. Thanks!
>
> --------------------
>>From: "Lee" <lee@nowehere.com>
>>Subject: EFS Recovery Agent
>>Date: Wed, 23 Feb 2005 16:49:50 -0000
>>
>>Hi,
>>
>>Hopefully someone can advise.
>>
>>I am trying to setup EFS in my domain, I would like to change the default
>>EFS recovery agent from Administrator to a user. We do not currenlty
> have
>>a CA, however, from what I have read, this is not necessarily required.
>>
>>Could someone please advise whether a CA is required, and if not, point me
>>in the direction of some help on how to do this.
>>
>>TIA
>>
>>Lee
>>
>>
>>
>
- Next message: Rob McShinsky: "Certificate Web Enrollment Options Defaults?"
- Previous message: Curtis Koenig [MSFT]: "RE: EFS Recovery Agent"
- In reply to: Curtis Koenig [MSFT]: "RE: EFS Recovery Agent"
- Next in thread: Steven Umbach: "Re: EFS Recovery Agent"
- Reply: Steven Umbach: "Re: EFS Recovery Agent"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
