Re: EFS Recovery Agent

From: Lee (lee_at_nowehere.com)
Date: 02/28/05 

Date: Mon, 28 Feb 2005 13:46:45 -0000

Steven,

I didn't import the PFX file to the file server, which is why it didn't
work.

Thanks very much for your help and advice

Regards,

Lee

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uSErSuuGFHA.3484@TK2MSFTNGP12.phx.gbl...
> Your RA certificate AND private key need to be on the computer where you
> try to recover a file. If you did not create your RA certificate/private
> key on that server you need to export it and the private key from the
> computer where it exists to a password protected.pfx file. Then copy that
> file to the server and open the .pfx file to install it to the user
> computer store for your account on the server. Use the mmc certificate
> snapin for user certificate to verify that it exists in the
> personal/certificates folder and that the private key exists as would be
> stated on the general page for the certificate.. --- Steve
>
>
> "Lee" <lee@nowehere.com> wrote in message
> news:uNXPS3mGFHA.580@TK2MSFTNGP15.phx.gbl...
>> Steve,
>>
>> Ok, after taking your advice this is what I have done.
>>
>> I used to Cipher to generate a recovery certificate on my PC.
>>
>> I edited my default domain policy adding myself as a recovery agent,
>> using the certificate I created using cipher.
>>
>> I then had a test user encrypt a file on a file server in the domain.
>>
>> I then logged on locally to the file server as myself. When i then tried
>> to decrpyt the file, it says "access denied"
>>
>> In the details of the encryption settings of the file, I am listed as a
>> DRA, with the correct thumbprint.
>>
>> Any ideas ?
>>
>> TIA
>>
>> Lee
>> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
>> news:OoY9ZZjGFHA.2732@TK2MSFTNGP15.phx.gbl...
>>> You can use the cipher /R command on an XP Pro computer to generate a
>>> Recovery
>>> Agent certificate which would be the logged on user. I suggest however
>>> that you
>>> create an enterprise CA for the domain even if you use it to issue that
>>> one
>>> certificate. It really is not that hard to do. If you want to try the XP
>>> Pro
>>> generated certificate be SURE to test it out first to make sure that it
>>> works
>>> the way you expect for domain EFS file recovery so as to not lose
>>> permanent
>>> access to any EFS files. You can use the efsinfo utility to then view
>>> the RA
>>> associated with any EFS files. I believe that existing files will need
>>> to be
>>> opened to update them with the new RA or that can be done via the cipher
>>> command
>>> from the logged on user for XP Pro. Be sure to keep a couple of copies
>>> of the RA
>>> certificate/private key stored in password protected .pfx files in safe
>>> places. --- Steve
>>>
>>>
>>> "Lee" <lee@nowehere.com> wrote in message
>>> news:eRCLGMdGFHA.616@TK2MSFTNGP10.phx.gbl...
>>>> Curtis,
>>>>
>>>> thanks for your reply, I had followed that document, however, when I
>>>> try
>>>> to add a recovery agent using the Add Recovery Agent Wizard, it tells
>>>> me
>>>> that "the selected user has no certificates suitable for EFS Recovery
>>>> and
>>>> cannot be selected as a recovery agent.
>>>>
>>>> So, I guess my question is, how do I create an EFS Recovery
>>>> certificate for
>>>> my user that I want to be a recovery agent
>>>>
>>>> TIA
>>>>
>>>> Lee
>>>> "Curtis Koenig [MSFT]" <curtisko@online.microsoft.com> wrote in message
>>>> news:fM5xOGdGFHA.1140@TK2MSFTNGXA02.phx.gbl...
>>>> > The help file for Windows XP has a good set of steps for how to
>>>> > specify a
>>>> > recovery agent:
>>>> >
>>>> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
>>>> > To add a recovery agent for a domain
>>>> > Open Active Directory Users and Computers.
>>>> > Right-click the domain whose recovery policy you want to change, and
>>>> > then
>>>> > click Properties.
>>>> > Click the Group Policy tab.
>>>> > Right-click the recovery policy you want to change, and then click
>>>> > Edit.
>>>> > In the console tree, click Encrypted Data Recovery Agents.
>>>> > Where?
>>>> >
>>>> > Computer Configuration
>>>> > Windows Settings
>>>> > Security Settings
>>>> > Public Key Policies
>>>> > Encrypted Data Recovery Agents
>>>> > In the details pane, right-click, then click Add, and follow the
>>>> > instructions.
>>>> > Notes
>>>> >
>>>> > You must be logged on as an administrator or a member of the
>>>> > Administrators
>>>> > group in order to complete this procedure. If your computer is
>>>> > connected
>>>> > to
>>>> > a network, network policy settings might also prevent you from
>>>> > completing
>>>> > this procedure.
>>>> > To start Active Directory Users and Computers, open a Remote Desktop
>>>> > Connection to either a Windows 2000 domain controller or a member
>>>> > server
>>>> > that has Windows 2000 Administration Tools installed. You must log on
>>>> > to
>>>> > the server as a domain administrator in order to complete this
>>>> > procedure.
>>>> > This operation can be performed on any sites, domains or
>>>> > organizational
>>>> > units within an Active Directory forest.
>>>> > Adding a recovery agent from a file identifies the user as
>>>> > USER_UNKNOWN.
>>>> > This is because the name is not stored in the file.
>>>> > Before you can add or create a recovery agent, you must configure
>>>> > Group
>>>> > Policy on your computer. For more information about using Group
>>>> > Policy,
>>>> > see
>>>> > Related Topics.
>>>> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
>>>> >
>>>> > I would also suggest the following KB
>>>> >
>>>> > 223316 Best practices for the Encrypting File System
>>>> > http://support.microsoft.com/?id=223316
>>>> > --
>>>> > Curtis Koenig
>>>> > Security Support Engineer
>>>> > Product Support Services, Security Team
>>>> > MCSE, MCSES, CISSP
>>>> >
>>>> > This posting is provided "AS IS" with no warranties and confers no
>>>> > rights.
>>>> > Please reply to the newsgroup so that others may benefit. Thanks!
>>>> >
>>>> > --------------------
>>>> >>From: "Lee" <lee@nowehere.com>
>>>> >>Subject: EFS Recovery Agent
>>>> >>Date: Wed, 23 Feb 2005 16:49:50 -0000
>>>> >>
>>>> >>Hi,
>>>> >>
>>>> >>Hopefully someone can advise.
>>>> >>
>>>> >>I am trying to setup EFS in my domain, I would like to change the
>>>> >>default
>>>> >>EFS recovery agent from Administrator to a user. We do not
>>>> >>currenlty
>>>> > have
>>>> >>a CA, however, from what I have read, this is not necessarily
>>>> >>required.
>>>> >>
>>>> >>Could someone please advise whether a CA is required, and if not,
>>>> >>point me
>>>> >>in the direction of some help on how to do this.
>>>> >>
>>>> >>TIA
>>>> >>
>>>> >>Lee
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • RE: Questions on deploying apps on a file server
    ... Rather than signing with a Verisign certificate, you can sign with a keypair that you create with the sn tool. ... assembly signed with that private key, and your applications will be able to run off of the file server with no problem. ... >We keep our apps centralized on a file server and our users simply run them ...
    (microsoft.public.dotnet.security)
  • Re: Problem with CA
    ... So now I have a certificate on my PC ... >and login to the file server as USER A. I then import the ... >thumbprint is the 1E8F certificate. ... >The problem I'm having is when I'm logged in to PC A, I encrypt a file ...
    (microsoft.public.win2000.security)