Re: Problem with EFS...
From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 03/17/03
- Next message: Roger Abell [MVP]: "Re: MMC / gpedit / Snap-in Creation Failed."
- Previous message: Roger Abell [MVP]: "Re: xp home file permissions"
- In reply to: Chris: "Problem with EFS..."
- Next in thread: Chris: "Re: Problem with EFS..."
- Reply: Chris: "Re: Problem with EFS..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> Date: Sun, 16 Mar 2003 23:08:03 -0700
comments inlined
"Chris" <ehathgepiurhe@REMOVETHIS.yahoo.com> wrote in message news:plja7v0ogecn7vijcq1dr27esit405dqf8@4ax.com...
> Hi,
>
> I was having a problem with decrypting files using EFS on WIndows XP
> that I was hoping someone may be able to help me with. Specifically, I
> cannot use a DRA to decrypt them. These are the steps I followed (all
> on a stand-alone, non networked PC):
> 1. Created the user account that I wanted to be the DRA (& added them
> to the Administrators group)
OK, but the DRA does not have to be an admin.
> 2. Logged on as that user
> 3. Opened up a command prompt, & typed "cipher /r:efscert"
> 4. This created the efscert.cer & efscert.pfx files
good
> 5. I logged out of this user, & logged back in as my account (with
> Admin rights)
> 6. I then went into MMC & opened up Certificates (My User Account). I
> then opened up the Certificates - Current User-Personal-Certificates
> folder
> 7. I then imported the .pfx file that I created for the DRA account
you needed to do this in the account that is to be the DRA
> 8. I then went into MMC & opened up Local Computer Policy-Computer
> Configuration-Windows Settings-Security Settings-Public Key
> Policies-Encrypting File System
> 9. I then added the .cer I created for the DRA account
OK, this can be done from any admin account
IOW, all of the above could have been done during one login
session of the new DRA admin account
> 10. I exited from MMC & encrypted a plain text file as a test
> 11. I logged out of my account, & logged back in as the DRA account
but it is not a DRA - you imported that pfx to a different account
> 12. When I tried to open the encrypted file, the message given was
> "Cannot open the {location & filename} file. Make sure a disk is in
> the drive you specified" (the file was on the hard drive, not a floppy
> disk), & when I right clicked on it & tried to remove the tick
> specifying that it was encrypted, I got "An error occurred applying
> attributes to the file {location & filename}. Access is denied")
> 13. I then logged out of the DRA account & logged back in as myself. I
> was able to access the text file fine, & to remove the encryption (& I
> checked the details tab - the DRA account was listed as the "Data
> Recovery Agents for this file as defined by Recovery Policy")
It got the name from the cert, but that account cannot decrypt
until you give it the decrypting key by importing the pfx into it.
> Can anyone tell me what I've missed? The strange thing is that before
> I had to format my drive & reinstall XP from scratch. I had EFS & the
> DRA working fine, & as far as I can remember, I used the exact same
> steps.
>
> Thanks,
>
> CM
- Next message: Roger Abell [MVP]: "Re: MMC / gpedit / Snap-in Creation Failed."
- Previous message: Roger Abell [MVP]: "Re: xp home file permissions"
- In reply to: Chris: "Problem with EFS..."
- Next in thread: Chris: "Re: Problem with EFS..."
- Reply: Chris: "Re: Problem with EFS..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
