Re: How to add a domain user as a Data Recovery Agent
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 2 Jul 2006 15:51:48 -0500
I would not think you need to reboot. But it would not hurt to run gpupdate
/force on the domain controller [2003] first and then reboot the domain
computer to see if that makes any difference and then also check the
application log of the domain computer to see if it shows any userenv
error/warnings or other that may indicate a problem with pulling Group
Policy settings or contacting a domain controller. I would also make some
temporary trivial non destructive change to another computer configuration
setting such as enabling auditing for privilege use for failure only under
audit policy in the same Group Policy to see if that change occurs or not in
an attempt to try and narrow the problem down to a problem with configuring
RA or a general problem with that Group Policy propagating. Another thing to
try is to move one of the domain computers temporarily out of the OU and
into the default computers container to see if that makes any difference or
not after rebooting that computer.
Double check that the default domain Group Policy is linked to the domain
container, that it's computer configuration component is enabled, that
authenticated users have read and apply permissions to it, that the
computers in question are not a member of any group that has deny
permissions to it, and that it is at the top of the list assuming that you
want it to have highest precedence for Group Policy. You also can use the
support tool gpresult on a domain computer to see what Group Policies are
being applied to a domain computer for computer configuration, from what
domain controller, and the last time the policy was applied. Often it is
easier than using GPMC to find basic info. If you have more than one domain
controller there always is the possibility that Group Policy is not
replicating correctly. Running the support tool gpotool can help with that
and you should check the results to make sure all domain controllers are
shown in the list. --- Steve
"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:Op2NG6gnGHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Steven,
Thanks for the response. I've tested what you've suggested and followed
the exchange between yourself and AC, checking for possible errors or
omissions and everything appears to check-out. The computer accounts are
in a specially created OU and not the default "Computer" container and the
policy is defined at the Default Domain Policy. If I run RSOP, the
non-admin user does show up as an RA, his certificate is for file
recovery, hasn't expired and the root and issuing CA are trusted.
However, if I add the user to the Domain Admins group the user still won't
show up as an RA, so the problem doesn't appear to be limited to group
membership but rather it's specific to newly created users. Is this one
of those settings where I need to restart the domain controllers in order
for it to take effect?
Thanks again,
DLN.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eocbGYLnGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
Did you verify that the certificate issued to the user is indeed a
Recovery Agent certificate and when you examined the certificate are the
dates valid and is it trusted by all domain computers? When you look at
the details page of the certificate select edit properties to make sure
it shows file recovery which also will show under the enhanced key usage
feels. It definitely is possible to make a regular user a CA and I have
done it a couple times myself in my test domain. The only reason I can
think that membership in the domain admins group is needed in your case
is to get the proper RA certificate. What you could try is to add that
user or a test user temporarily to the domain admins group to see if that
makes a difference in your situation. --- Steve
"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:eF9et1GnGHA.2332@xxxxxxxxxxxxxxxxxxxxxxx
Hello All,
I just want to start by stating that I know very little about how to
properly implement a PKI - I've been trying to pick things up as I go,
but I know that I have a lot more to learn on the topic. Please excuse
any questions or statements that appear naive, or unknowledgeable.
I'm trying to figure out how to add a non-privileged, domain user
account as a Data Recovery agent. I've got a Windows 2003 native mode
domain and a W2K3 based Root CA installed and the CA's root certificate
has been added to the domain's "Trusted Root Certification Authorities".
For the two user accounts that I want to act as data recovery agents,
I've granted them read and enroll permissions on the EFSRecovery
template and then made sure that the EFS Recovery Agent certificate
template is published by my Root CA. I can enroll both users for an EFS
Recovery Agent certificate. I don't know if everything I've done up to
this point is correct, but since I got the certificate, I've proceeded
under the assumption that it is.
I then go to the Default Domain Policy for my domain, and under Computer
Configuration->Windows Settings->Public Key Policies->Encrypting File
System, I add the users as data recovery agents. I can "Create a data
recovery agent" for the Domain Administrator account and I've tested the
domain admin in regards to recovering encrypted files - this much works.
However, I can't seem to get my non-admin users to act as recovery
agents. This is what I've tried so far:
1. Exported the users' enrolled certificates to a file and then used the
GPMC to import them into the Default Domain Policy
2. Used the certificate manager MMC snap-in to copy the certificate from
the user's local store to the user's AD account and then used the GPMC
to browse the directory for the user.
3. Copied the EFSRecovery template to a new template, granted the same
users the read, enroll, and autoenroll permissions; issued the template
on the CA; ensured the users received their certificate; and then
enrolled them as in step 2.
4. Delegated authority to the GPO to the recovery agent users and then
used GPMC to enroll the users as I did the Domain Admin.
In all cases, I was able to add the appropriate users as recovery
agents. However, all newly encrypted files never have the non-admin
users listed as Data Recovery Agents, only the Domain Administrator
account is ever listed. I can even create another account that is a
domain admin and add them to the GPO and that admin account will also
show up as a Data Recovery Agent for newly encrypted files. This
problem seems to be limited to non-admin accounts.
What am I doing wrong? Do I have the root CA configured improperly or
is there some trick about adding data recovery agents that I've missed?
If anybody could shed some light on the problem, I would greatly
appreciate it.
Thanks,
DLN
.
- Follow-Ups:
- References:
- Re: How to add a domain user as a Data Recovery Agent
- From: Steven L Umbach
- Re: How to add a domain user as a Data Recovery Agent
- From: dln
- Re: How to add a domain user as a Data Recovery Agent
- Prev by Date: Re: How to add a domain user as a Data Recovery Agent
- Next by Date: Wizard cannot be started
- Previous by thread: Re: How to add a domain user as a Data Recovery Agent
- Next by thread: Re: How to add a domain user as a Data Recovery Agent
- Index(es):
Relevant Pages
|
