Re: EFS Recovery Agent

From: Lee (lee_at_nowehere.com)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 12:39:23 -0000

Steve,

Ok, after taking your advice this is what I have done.

I used to Cipher to generate a recovery certificate on my PC.

I edited my default domain policy adding myself as a recovery agent, using
the certificate I created using cipher.

I then had a test user encrypt a file on a file server in the domain.

I then logged on locally to the file server as myself. When i then tried to
decrpyt the file, it says "access denied"

In the details of the encryption settings of the file, I am listed as a DRA,
with the correct thumbprint.

Any ideas ?

TIA

Lee
"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:OoY9ZZjGFHA.2732@TK2MSFTNGP15.phx.gbl...
> You can use the cipher /R command on an XP Pro computer to generate a
> Recovery
> Agent certificate which would be the logged on user. I suggest however
> that you
> create an enterprise CA for the domain even if you use it to issue that
> one
> certificate. It really is not that hard to do. If you want to try the XP
> Pro
> generated certificate be SURE to test it out first to make sure that it
> works
> the way you expect for domain EFS file recovery so as to not lose
> permanent
> access to any EFS files. You can use the efsinfo utility to then view the
> RA
> associated with any EFS files. I believe that existing files will need to
> be
> opened to update them with the new RA or that can be done via the cipher
> command
> from the logged on user for XP Pro. Be sure to keep a couple of copies of
> the RA
> certificate/private key stored in password protected .pfx files in safe
> places. --- Steve
>
>
> "Lee" <lee@nowehere.com> wrote in message
> news:eRCLGMdGFHA.616@TK2MSFTNGP10.phx.gbl...
>> Curtis,
>>
>> thanks for your reply, I had followed that document, however, when I
>> try
>> to add a recovery agent using the Add Recovery Agent Wizard, it tells me
>> that "the selected user has no certificates suitable for EFS Recovery and
>> cannot be selected as a recovery agent.
>>
>> So, I guess my question is, how do I create an EFS Recovery certificate
>> for
>> my user that I want to be a recovery agent
>>
>> TIA
>>
>> Lee
>> "Curtis Koenig [MSFT]" <curtisko@online.microsoft.com> wrote in message
>> news:fM5xOGdGFHA.1140@TK2MSFTNGXA02.phx.gbl...
>> > The help file for Windows XP has a good set of steps for how to specify
>> > a
>> > recovery agent:
>> >
>> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
>> > To add a recovery agent for a domain
>> > Open Active Directory Users and Computers.
>> > Right-click the domain whose recovery policy you want to change, and
>> > then
>> > click Properties.
>> > Click the Group Policy tab.
>> > Right-click the recovery policy you want to change, and then click
>> > Edit.
>> > In the console tree, click Encrypted Data Recovery Agents.
>> > Where?
>> >
>> > Computer Configuration
>> > Windows Settings
>> > Security Settings
>> > Public Key Policies
>> > Encrypted Data Recovery Agents
>> > In the details pane, right-click, then click Add, and follow the
>> > instructions.
>> > Notes
>> >
>> > You must be logged on as an administrator or a member of the
>> > Administrators
>> > group in order to complete this procedure. If your computer is
>> > connected
>> > to
>> > a network, network policy settings might also prevent you from
>> > completing
>> > this procedure.
>> > To start Active Directory Users and Computers, open a Remote Desktop
>> > Connection to either a Windows 2000 domain controller or a member
>> > server
>> > that has Windows 2000 Administration Tools installed. You must log on
>> > to
>> > the server as a domain administrator in order to complete this
>> > procedure.
>> > This operation can be performed on any sites, domains or organizational
>> > units within an Active Directory forest.
>> > Adding a recovery agent from a file identifies the user as
>> > USER_UNKNOWN.
>> > This is because the name is not stored in the file.
>> > Before you can add or create a recovery agent, you must configure Group
>> > Policy on your computer. For more information about using Group Policy,
>> > see
>> > Related Topics.
>> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
>> >
>> > I would also suggest the following KB
>> >
>> > 223316 Best practices for the Encrypting File System
>> > http://support.microsoft.com/?id=223316
>> > --
>> > Curtis Koenig
>> > Security Support Engineer
>> > Product Support Services, Security Team
>> > MCSE, MCSES, CISSP
>> >
>> > This posting is provided "AS IS" with no warranties and confers no
>> > rights.
>> > Please reply to the newsgroup so that others may benefit. Thanks!
>> >
>> > --------------------
>> >>From: "Lee" <lee@nowehere.com>
>> >>Subject: EFS Recovery Agent
>> >>Date: Wed, 23 Feb 2005 16:49:50 -0000
>> >>
>> >>Hi,
>> >>
>> >>Hopefully someone can advise.
>> >>
>> >>I am trying to setup EFS in my domain, I would like to change the
>> >>default
>> >>EFS recovery agent from Administrator to a user. We do not currenlty
>> > have
>> >>a CA, however, from what I have read, this is not necessarily
>> >>required.
>> >>
>> >>Could someone please advise whether a CA is required, and if not, point
>> >>me
>> >>in the direction of some help on how to do this.
>> >>
>> >>TIA
>> >>
>> >>Lee
>> >>
>> >>
>> >>
>> >
>>
>>
>
>