Re: Problems setting up the Recovery Agent

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Sat, 23 Dec 2006 09:34:59 -0700

Just wanting to clarify one thing about your test scenario . . .
When attempting to access the EFS protected file, logged in as
the RA, and you receive "Access Denied" , the RA account does
have permissions at the NTFS level (was not stated).
That same message results from lack of NTFS permissions or
absence of the private key

"techo crat" <spos4life@xxxxxxxxxxx> wrote in message
news:1166552801.729467.138170@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I'm having problems setting up the Recovery Agent(RA) to work in my
domain. I would like to know if I'm missing any steps.
I have a 2003 domain and installed Windows CA on the DC machine.

I created a domain user which I will use primarily as a RA. I logged
into the CA machine as the RA and exported its certificate.
I relogged back into the machine as the domain admin and imported the
certificate so that it is a part of the Recovery Policy of the domain.
I imported the cert by going to the Group Policy Editor/Computer
Configuration/Windows Setting/Security Setting/Public Key
Policies/Encrypting File System. In the Add RA wizard, 2nd screen where
I select the user profile, after I finding the certificate file, it
displays User: USER_UNKNOWN. I don't know whether this indicates that
something is wrong already.

After completing this process, I see the Group Policy Editor under
Encrypting File System, my newly added RA is displayed.

Next, I try to test if this RA works by going on a workstation and
logging in as a normal domain user and encrypting a dummy text file. I
relog on as the RA, and import the cert of the RA into this machine and
then try to open up the dummy file. But failed. I then try to import
the private key file of the RA and then open the file and it still
fails. Both times it displays "Access is Denied" message.

I would like to know what I'm doing wrong.

Thanks a lot for any help

Follow-Ups:
- Re: Problems setting up the Recovery Agent
  - From: techo crat

References:
- Problems setting up the Recovery Agent
  - From: techo crat

Prev by Date: Why Do So Many Windows EXEs Require Write Attribute File Permissions?
Next by Date: NTFS Audit
Previous by thread: Problems setting up the Recovery Agent
Next by thread: Re: Problems setting up the Recovery Agent
Index(es):
- Date
- Thread

Relevant Pages

Problems setting up the Recovery Agent
... I created a domain user which I will use primarily as a RA. ... certificate so that it is a part of the Recovery Policy of the domain. ... I imported the cert by going to the Group Policy Editor/Computer ...
(microsoft.public.windows.server.security)
EAP/TLS and "Windows was unable to find a certificate. . ."
... cert logged in as a domain user and promptly exported it ... certificate when I enabled 802.1x on the wireless ... >>launch IE, browse to the cert auth, request and install ...
(microsoft.public.windowsxp.network_web)
W2k CA within 2003 ADS
... Now only the the domain administrator are abel to enroll a certificate. ... Domain user can't enroll certificates, even they have administrator rights. ...
(microsoft.public.security)
Certification service
... But what must we do that external people can check, if the certificate used ... Domain user A sends an e-mail to a ... recipient on the Internet. ... This recipient must check if the certificate is ...
(microsoft.public.win2000.security)