Re: How to add a domain user as a Data Recovery Agent
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 4 Jul 2006 19:54:31 -0500
No problem at all. Glad to help you trouble shoot the problem and glad you
got it resolved. Using rsop.msc for such policy is helpful but it does not
show the GPO that applies those settings. --- Steve
"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:%23upkqitnGHA.816@xxxxxxxxxxxxxxxxxxxxxxx
Steven,
It was a duplicate entry in a sub-GPO that was throwing me off. Once I
removed the duplicate Public Key policy from the sub-GPO, things started
working. I hope I didn't waste too much of your time. Thanks for your
help.
DLN
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ufiJXlhnGHA.4328@xxxxxxxxxxxxxxxxxxxxxxx
I would not think you need to reboot. But it would not hurt to run
gpupdate /force on the domain controller [2003] first and then reboot the
domain computer to see if that makes any difference and then also check
the application log of the domain computer to see if it shows any userenv
error/warnings or other that may indicate a problem with pulling Group
Policy settings or contacting a domain controller. I would also make some
temporary trivial non destructive change to another computer configuration
setting such as enabling auditing for privilege use for failure only under
audit policy in the same Group Policy to see if that change occurs or not
in an attempt to try and narrow the problem down to a problem with
configuring RA or a general problem with that Group Policy propagating.
Another thing to try is to move one of the domain computers temporarily
out of the OU and into the default computers container to see if that
makes any difference or not after rebooting that computer.
Double check that the default domain Group Policy is linked to the domain
container, that it's computer configuration component is enabled, that
authenticated users have read and apply permissions to it, that the
computers in question are not a member of any group that has deny
permissions to it, and that it is at the top of the list assuming that
you want it to have highest precedence for Group Policy. You also can use
the support tool gpresult on a domain computer to see what Group Policies
are being applied to a domain computer for computer configuration, from
what domain controller, and the last time the policy was applied. Often
it is easier than using GPMC to find basic info. If you have more than
one domain controller there always is the possibility that Group Policy
is not replicating correctly. Running the support tool gpotool can help
with that and you should check the results to make sure all domain
controllers are shown in the list. --- Steve
"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:Op2NG6gnGHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Steven,
Thanks for the response. I've tested what you've suggested and followed
the exchange between yourself and AC, checking for possible errors or
omissions and everything appears to check-out. The computer accounts
are in a specially created OU and not the default "Computer" container
and the policy is defined at the Default Domain Policy. If I run RSOP,
the non-admin user does show up as an RA, his certificate is for file
recovery, hasn't expired and the root and issuing CA are trusted.
However, if I add the user to the Domain Admins group the user still
won't show up as an RA, so the problem doesn't appear to be limited to
group membership but rather it's specific to newly created users. Is
this one of those settings where I need to restart the domain
controllers in order for it to take effect?
Thanks again,
DLN.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eocbGYLnGHA.964@xxxxxxxxxxxxxxxxxxxxxxx
Did you verify that the certificate issued to the user is indeed a
Recovery Agent certificate and when you examined the certificate are
the dates valid and is it trusted by all domain computers? When you
look at the details page of the certificate select edit properties to
make sure it shows file recovery which also will show under the
enhanced key usage feels. It definitely is possible to make a regular
user a CA and I have done it a couple times myself in my test domain.
The only reason I can think that membership in the domain admins group
is needed in your case is to get the proper RA certificate. What you
could try is to add that user or a test user temporarily to the domain
admins group to see if that makes a difference in your situation. ---
Steve
"dln" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:eF9et1GnGHA.2332@xxxxxxxxxxxxxxxxxxxxxxx
Hello All,
I just want to start by stating that I know very little about how to
properly implement a PKI - I've been trying to pick things up as I go,
but I know that I have a lot more to learn on the topic. Please
excuse any questions or statements that appear naive, or
unknowledgeable.
I'm trying to figure out how to add a non-privileged, domain user
account as a Data Recovery agent. I've got a Windows 2003 native mode
domain and a W2K3 based Root CA installed and the CA's root
certificate has been added to the domain's "Trusted Root Certification
Authorities". For the two user accounts that I want to act as data
recovery agents, I've granted them read and enroll permissions on the
EFSRecovery template and then made sure that the EFS Recovery Agent
certificate template is published by my Root CA. I can enroll both
users for an EFS Recovery Agent certificate. I don't know if
everything I've done up to this point is correct, but since I got the
certificate, I've proceeded under the assumption that it is.
I then go to the Default Domain Policy for my domain, and under
Computer Configuration->Windows Settings->Public Key
Policies->Encrypting File System, I add the users as data recovery
agents. I can "Create a data recovery agent" for the Domain
Administrator account and I've tested the domain admin in regards to
recovering encrypted files - this much works. However, I can't seem to
get my non-admin users to act as recovery agents. This is what I've
tried so far:
1. Exported the users' enrolled certificates to a file and then used
the GPMC to import them into the Default Domain Policy
2. Used the certificate manager MMC snap-in to copy the certificate
from the user's local store to the user's AD account and then used the
GPMC to browse the directory for the user.
3. Copied the EFSRecovery template to a new template, granted the same
users the read, enroll, and autoenroll permissions; issued the
template on the CA; ensured the users received their certificate; and
then enrolled them as in step 2.
4. Delegated authority to the GPO to the recovery agent users and then
used GPMC to enroll the users as I did the Domain Admin.
In all cases, I was able to add the appropriate users as recovery
agents. However, all newly encrypted files never have the non-admin
users listed as Data Recovery Agents, only the Domain Administrator
account is ever listed. I can even create another account that is a
domain admin and add them to the GPO and that admin account will also
show up as a Data Recovery Agent for newly encrypted files. This
problem seems to be limited to non-admin accounts.
What am I doing wrong? Do I have the root CA configured improperly or
is there some trick about adding data recovery agents that I've
missed? If anybody could shed some light on the problem, I would
greatly appreciate it.
Thanks,
DLN
.
- References:
- Re: How to add a domain user as a Data Recovery Agent
- From: Steven L Umbach
- Re: How to add a domain user as a Data Recovery Agent
- From: dln
- Re: How to add a domain user as a Data Recovery Agent
- From: Steven L Umbach
- Re: How to add a domain user as a Data Recovery Agent
- From: dln
- Re: How to add a domain user as a Data Recovery Agent
- Prev by Date: Fastest way to refresh security and share permission
- Next by Date: Re: Fastest way to refresh security and share permission
- Previous by thread: Re: How to add a domain user as a Data Recovery Agent
- Next by thread: Re: How to add a domain user as a Data Recovery Agent
- Index(es):
Relevant Pages
|
|
