Re: How to add a domain user as a Data Recovery Agent

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 30 Jun 2006 21:28:27 -0500

---

Did you verify that the certificate issued to the user is indeed a Recovery
Agent certificate and when you examined the certificate are the dates valid
and is it trusted by all domain computers? When you look at the details page
of the certificate select edit properties to make sure it shows file
recovery which also will show under the enhanced key usage feels. It
definitely is possible to make a regular user a CA and I have done it a
couple times myself in my test domain. The only reason I can think that
membership in the domain admins group is needed in your case is to get the
proper RA certificate. What you could try is to add that user or a test user
temporarily to the domain admins group to see if that makes a difference in
your situation. --- Steve


"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:eF9et1GnGHA.2332@xxxxxxxxxxxxxxxxxxxxxxx

Hello All,

I just want to start by stating that I know very little about how to
properly implement a PKI - I've been trying to pick things up as I go, but
I know that I have a lot more to learn on the topic. Please excuse any
questions or statements that appear naive, or unknowledgeable.

I'm trying to figure out how to add a non-privileged, domain user account
as a Data Recovery agent. I've got a Windows 2003 native mode domain and
a W2K3 based Root CA installed and the CA's root certificate has been
added to the domain's "Trusted Root Certification Authorities". For the
two user accounts that I want to act as data recovery agents, I've granted
them read and enroll permissions on the EFSRecovery template and then made
sure that the EFS Recovery Agent certificate template is published by my
Root CA. I can enroll both users for an EFS Recovery Agent certificate.
I don't know if everything I've done up to this point is correct, but
since I got the certificate, I've proceeded under the assumption that it
is.

I then go to the Default Domain Policy for my domain, and under Computer
Configuration->Windows Settings->Public Key Policies->Encrypting File
System, I add the users as data recovery agents. I can "Create a data
recovery agent" for the Domain Administrator account and I've tested the
domain admin in regards to recovering encrypted files - this much works.
However, I can't seem to get my non-admin users to act as recovery agents.
This is what I've tried so far:

1. Exported the users' enrolled certificates to a file and then used the
GPMC to import them into the Default Domain Policy
2. Used the certificate manager MMC snap-in to copy the certificate from
the user's local store to the user's AD account and then used the GPMC to
browse the directory for the user.
3. Copied the EFSRecovery template to a new template, granted the same
users the read, enroll, and autoenroll permissions; issued the template on
the CA; ensured the users received their certificate; and then enrolled
them as in step 2.
4. Delegated authority to the GPO to the recovery agent users and then
used GPMC to enroll the users as I did the Domain Admin.

In all cases, I was able to add the appropriate users as recovery agents.
However, all newly encrypted files never have the non-admin users listed
as Data Recovery Agents, only the Domain Administrator account is ever
listed. I can even create another account that is a domain admin and add
them to the GPO and that admin account will also show up as a Data
Recovery Agent for newly encrypted files. This problem seems to be
limited to non-admin accounts.

What am I doing wrong? Do I have the root CA configured improperly or is
there some trick about adding data recovery agents that I've missed? If
anybody could shed some light on the problem, I would greatly appreciate
it.

Thanks,

DLN

.

---

• Follow-Ups:
  • Re: How to add a domain user as a Data Recovery Agent
    • From: dln

• Prev by Date: Re: EFS Certificates in AD 2003
• Next by Date: Re: How to add a domain user as a Data Recovery Agent
• Previous by thread: Re: Remote Desktop Connection IP address
• Next by thread: Re: How to add a domain user as a Data Recovery Agent
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Lost EFS Recovery Key for local admin ... I found I could get a File Recovery ... the certificate will be there. ... Fixing that allowed the built in Administrator to get a ... Along the way I created separate account called 'recovery' ... (microsoft.public.win2000.security) Re: How to add a domain user as a Data Recovery Agent ... Recovery Agent certificate and when you examined the certificate are the ... I'm trying to figure out how to add a non-privileged, domain user account ... I add the users as data recovery agents. ... (microsoft.public.windows.server.security) Re: EFS, certificates etc ... I backed up system state then created a certificate ... for the Admin account, which I have designated as the data recovery agent. ... (microsoft.public.windowsxp.security_admin) Re: EFS, certificates etc ... created a certificate ... >for the Admin account, which I have designated as the ... >data recovery agent cannot. ... >>> encryption. ... (microsoft.public.windowsxp.security_admin) Re: recovery agent keys/certs ... encrypted data otherwise you may be in trouble-- just ... >- After the new recovery agent is in place in group ... >> certificate for a recovery agent. ... >> Choose the 'Automatically Select The Certificate Store ... (microsoft.public.windowsxp.security_admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-07