Re: EFS Recovery Agent
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: Thu, 24 Feb 2005 00:04:34 -0600
You can use the cipher /R command on an XP Pro computer to generate a Recovery
Agent certificate which would be the logged on user. I suggest however that you
create an enterprise CA for the domain even if you use it to issue that one
certificate. It really is not that hard to do. If you want to try the XP Pro
generated certificate be SURE to test it out first to make sure that it works
the way you expect for domain EFS file recovery so as to not lose permanent
access to any EFS files. You can use the efsinfo utility to then view the RA
associated with any EFS files. I believe that existing files will need to be
opened to update them with the new RA or that can be done via the cipher command
from the logged on user for XP Pro. Be sure to keep a couple of copies of the RA
certificate/private key stored in password protected .pfx files in safe
places. --- Steve
"Lee" <email@example.com> wrote in message
> thanks for your reply, I had followed that document, however, when I try
> to add a recovery agent using the Add Recovery Agent Wizard, it tells me
> that "the selected user has no certificates suitable for EFS Recovery and
> cannot be selected as a recovery agent.
> So, I guess my question is, how do I create an EFS Recovery certificate for
> my user that I want to be a recovery agent
> "Curtis Koenig [MSFT]" <firstname.lastname@example.org> wrote in message
> > The help file for Windows XP has a good set of steps for how to specify a
> > recovery agent:
> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
> > To add a recovery agent for a domain
> > Open Active Directory Users and Computers.
> > Right-click the domain whose recovery policy you want to change, and then
> > click Properties.
> > Click the Group Policy tab.
> > Right-click the recovery policy you want to change, and then click Edit.
> > In the console tree, click Encrypted Data Recovery Agents.
> > Where?
> > Computer Configuration
> > Windows Settings
> > Security Settings
> > Public Key Policies
> > Encrypted Data Recovery Agents
> > In the details pane, right-click, then click Add, and follow the
> > instructions.
> > Notes
> > You must be logged on as an administrator or a member of the
> > Administrators
> > group in order to complete this procedure. If your computer is connected
> > to
> > a network, network policy settings might also prevent you from completing
> > this procedure.
> > To start Active Directory Users and Computers, open a Remote Desktop
> > Connection to either a Windows 2000 domain controller or a member server
> > that has Windows 2000 Administration Tools installed. You must log on to
> > the server as a domain administrator in order to complete this procedure.
> > This operation can be performed on any sites, domains or organizational
> > units within an Active Directory forest.
> > Adding a recovery agent from a file identifies the user as USER_UNKNOWN.
> > This is because the name is not stored in the file.
> > Before you can add or create a recovery agent, you must configure Group
> > Policy on your computer. For more information about using Group Policy,
> > see
> > Related Topics.
> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
> > I would also suggest the following KB
> > 223316 Best practices for the Encrypting File System
> > http://support.microsoft.com/?id=223316
> > --
> > Curtis Koenig
> > Security Support Engineer
> > Product Support Services, Security Team
> > MCSE, MCSES, CISSP
> > This posting is provided "AS IS" with no warranties and confers no rights.
> > Please reply to the newsgroup so that others may benefit. Thanks!
> > --------------------
> >>From: "Lee" <email@example.com>
> >>Subject: EFS Recovery Agent
> >>Date: Wed, 23 Feb 2005 16:49:50 -0000
> >>Hopefully someone can advise.
> >>I am trying to setup EFS in my domain, I would like to change the default
> >>EFS recovery agent from Administrator to a user. We do not currenlty
> > have
> >>a CA, however, from what I have read, this is not necessarily required.
> >>Could someone please advise whether a CA is required, and if not, point me
> >>in the direction of some help on how to do this.