Re: EFS, certificates etc

From: martin (
Date: 10/15/02

From: "martin" <>
Date: Mon, 14 Oct 2002 19:32:12 -0700

Robert's advice is spot on,

"L-Smith" i had the same problem as you have when i first
started of, You need to import the *.PFX which you have
created using the cipher /r:filename switch to designate
the recovery agent,as you know the command creates a CER
& PFX , but if u simply import the CER you will more than
likely get the error message, the PFX is the one you
need "The Key", if u import this file into your
MMC "Group policy" Snap in & then import the PFX into
the "Publick Key policies/Encrypting file system"
container all should be sweet ..

Kindest regards
>-----Original Message-----
>I backed up system state (in case of disasters!) then
created a certificate
>for the Admin account, which I have designated as the
data recovery agent.
>I created an encrypted file for a user. The user can
decrypt it, but the
>data recovery agent cannot. The file properties show
the admin account as
>being the designated recover agent, but when the admin
account tries to
>access it, or change the file properties, I get
an 'access denied' message.
>Both the admin and users account certificates are in the
>root\certificates (local computer)\trusted
certificate\certificates store.
>I haven't tried exporting keys or certificates, but am
obviously missing
>something here.
>Any ideas anyone as to why this isn't working?
>"Jupiter Jones" <> wrote in
>> Read and understand this document before using
>> y/default.asp
>> Play around with duplicate or unimportant files using
all scenarios to
>> assist you in full understanding of EFS.
>> A few times a week someone comes here for help
unencryption files and
>> there is often no help.
>> As you are learning, EFS is real good at what it does
and there is no
>> back door.
>> --
>> Jupiter Jones
>> Please respond to newsgroup only.
>> Everyone can benefit from the message.
>> "L Smith" <> wrote in message
>> news:e$VLI80cCHA.1540@tkmsftngp10...
>> > Hi
>> >
>> > Newbie here - at least to EFS.
>> >
>> > I am running XP Pro on a stand alone PC and trying
to get to grips
>> with data
>> > encryption.
>> >
>> > I understand that once encrypted, if you lose the
associated key, it
>> is
>> > impossible to recover encrypted data. I have
searched the Help
>> files and
>> > the newsgroup and found much about exporting
certificates and
>> creating data
>> > recovery agents.
>> >
>> > As far as I can see, once I create a certificate for
>> administrator
>> > account, I can designate that account as the data
recovery agent and
>> can
>> > then use that account to recover any encrypted files
on the PC. If
>> I export
>> > the certificate to a floppy disk, at a later date I
can import it
>> after a
>> > fresh install and recover encrypted files from a
back up. This is
>> exactly
>> > what I want, as I would not like to lose my data,
but presumably the
>> floppy
>> > then creates a security risk.
>> >
>> > However, I cannot find out how to do the first step,
which is create
>> the
>> > certificate. Unless I can do that, I am reluctant
to encrypt the
>> data.
>> >
>> > Can anyone point me in the right direction, please.
>> >
>> > Thanks
>> >
>> > LS
>> >
>> >
>> > This message was checked by Norton Anti Virus 2002
before sending

Relevant Pages

  • Re: How to add a domain user as a Data Recovery Agent
    ... Recovery Agent certificate and when you examined the certificate are the ... I'm trying to figure out how to add a non-privileged, domain user account ... I add the users as data recovery agents. ...
  • Re: EFS, certificates etc
    ... I backed up system state then created a certificate ... for the Admin account, which I have designated as the data recovery agent. ...
  • Re: Decrypt windows files
    ... Iam using Windows XP joined to a Windows 2000 Domain, I encrypted the files using my domain user account so I need a help in decrypting my files. ... Since you forget to back up your certificate, unless you set a recovery agent you are most probably out of luck. ... There is no backdoor to encryption. ...
  • Re: Can no longer encrypt files
    ... It is saying the certificate for the "Recovery Agent" is invalid, ... > the actual account doing the Encryption. ... > Win2k, the designated recovery agent was the default "Domain Admin", WinXP ... This was working fine until the account password expired and was ...
  • Re: File Encryption Help Needed
    ... The machine's previous domain has no AD, which means NT4 server, right? ... If you have no recovery agent and no keys exported earlier, ... get back your files are logon as the old account assuming that DC is still ... > Let us be sure this is about encryption, ...