Re: How to add a domain user as a Data Recovery Agent


Thanks for the response. I've tested what you've suggested and followed the
exchange between yourself and AC, checking for possible errors or omissions
and everything appears to check-out. The computer accounts are in a
specially created OU and not the default "Computer" container and the policy
is defined at the Default Domain Policy. If I run RSOP, the non-admin user
does show up as an RA, his certificate is for file recovery, hasn't expired
and the root and issuing CA are trusted. However, if I add the user to the
Domain Admins group the user still won't show up as an RA, so the problem
doesn't appear to be limited to group membership but rather it's specific to
newly created users. Is this one of those settings where I need to restart
the domain controllers in order for it to take effect?

Thanks again,


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Did you verify that the certificate issued to the user is indeed a
Recovery Agent certificate and when you examined the certificate are the
dates valid and is it trusted by all domain computers? When you look at
the details page of the certificate select edit properties to make sure it
shows file recovery which also will show under the enhanced key usage
feels. It definitely is possible to make a regular user a CA and I have
done it a couple times myself in my test domain. The only reason I can
think that membership in the domain admins group is needed in your case is
to get the proper RA certificate. What you could try is to add that user
or a test user temporarily to the domain admins group to see if that makes
a difference in your situation. --- Steve

"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
Hello All,

I just want to start by stating that I know very little about how to
properly implement a PKI - I've been trying to pick things up as I go,
but I know that I have a lot more to learn on the topic. Please excuse
any questions or statements that appear naive, or unknowledgeable.

I'm trying to figure out how to add a non-privileged, domain user account
as a Data Recovery agent. I've got a Windows 2003 native mode domain and
a W2K3 based Root CA installed and the CA's root certificate has been
added to the domain's "Trusted Root Certification Authorities". For the
two user accounts that I want to act as data recovery agents, I've
granted them read and enroll permissions on the EFSRecovery template and
then made sure that the EFS Recovery Agent certificate template is
published by my Root CA. I can enroll both users for an EFS Recovery
Agent certificate. I don't know if everything I've done up to this point
is correct, but since I got the certificate, I've proceeded under the
assumption that it is.

I then go to the Default Domain Policy for my domain, and under Computer
Configuration->Windows Settings->Public Key Policies->Encrypting File
System, I add the users as data recovery agents. I can "Create a data
recovery agent" for the Domain Administrator account and I've tested the
domain admin in regards to recovering encrypted files - this much works.
However, I can't seem to get my non-admin users to act as recovery
agents. This is what I've tried so far:

1. Exported the users' enrolled certificates to a file and then used the
GPMC to import them into the Default Domain Policy
2. Used the certificate manager MMC snap-in to copy the certificate from
the user's local store to the user's AD account and then used the GPMC to
browse the directory for the user.
3. Copied the EFSRecovery template to a new template, granted the same
users the read, enroll, and autoenroll permissions; issued the template
on the CA; ensured the users received their certificate; and then
enrolled them as in step 2.
4. Delegated authority to the GPO to the recovery agent users and then
used GPMC to enroll the users as I did the Domain Admin.

In all cases, I was able to add the appropriate users as recovery agents.
However, all newly encrypted files never have the non-admin users listed
as Data Recovery Agents, only the Domain Administrator account is ever
listed. I can even create another account that is a domain admin and add
them to the GPO and that admin account will also show up as a Data
Recovery Agent for newly encrypted files. This problem seems to be
limited to non-admin accounts.

What am I doing wrong? Do I have the root CA configured improperly or is
there some trick about adding data recovery agents that I've missed? If
anybody could shed some light on the problem, I would greatly appreciate