Re: Data Recovery Agent

From: XDA974 (XDA974_at_discussions.microsoft.com)
Date: 06/23/04 

Date: Tue, 22 Jun 2004 17:17:01 -0700

Mike,
I must tell you, I took the time to read those tedious links that MVP person sent me and as I wrote already tedious, it was painful to go through and got next to NOTHING about how it's done. Your directions appear to be superior in their guidance and I think you should be the MVP!
Also, the thing I was able to get out of the FAQ is that I must designate a DRA BEFOREHAND I begin encrypting docs, is this correct?
Also, my current user account is already an Administrator, so is it still necessary for me to log in as Administrator proper?
Thanks! 

-- 
ENAS
"Miha Pihler" wrote:
> Well most of us around here answer these questions on our free time for free 
> to help out. I am sure that you could find your answer in one of those FAQs, 
> but it takes time I know...
> 
> Well you need a recovery agent. You have few options. First one is you can 
> make your administrator a recovery agent or you can create a new user that 
> will be your recovery agent.
> 
> If you want it to be administrator logon as administrator. Check that 
> administrator has a certificate that will enable him EFS function. For this 
> you can use IE under Tools -> Internet options -> Content -> Certificates. 
> If there is a certificate Issued to: Administrator you can export it by 
> clicking export. If you have the option select No, do not export the private 
> key and save the *.cer file on local hard drive. Remember the path where you 
> saved it and close all the windows. If you don't have any certificates for 
> administrator encrypt any file to create a self signed certificate for 
> administrator (e.g. create an empty text file and encrypt it; you can then 
> delete it)...
> 
> Then open group policy editor (start -> run -> gpedit.msc) and drill down 
> under computer configuration -> windows settings -> security settings -> 
> Public key Policies -> Encryption File System -> right click in right pane 
> and select Add Recover Agent. Select Browse (folders) and look up an 
> administrator certificate that you exported earlier and add it...
> After you have done this close Group Policy editor and log off as 
> administrator and logon in your usual account. From command line run: cipher 
> /u. This will update all your encrypted files with new data recovery 
> agent...
> 
> On your system don't have any user accounts with blank or easy to guess 
> password. This will make EFS useless. Your certificates will expire after 1 
> year so will have to issue new one (e.g. if administrator certificate 
> expires and you won't renew it, you won't be able to encrypt any files)...
> Last but not least. Export and make backup copies of ALL your private keys!
> 
> I hope this helps you out,
> 
> Mike
> 
> "XDA974" <XDA974@discussions.microsoft.com> wrote in message 
> news:FF26CE48-B543-4386-A04B-E5D6410C29EA@microsoft.com...
> > No it's a home workstation. I was angry before which is why I wrote in 
> > Caps. I said in my original message, if whoever sees my post and sends a 
> > FAQ, don't do it! So what happened? This carey person sends me the lazy 
> > answer, FAQ! Which in turn DID NOT answer my question.
> > Anyway, like I siad in my message I have successfully installed my 
> > certificate in the personal store and it has been accepted. My problem 
> > now, is that I am having a difficult time on how the Data Recovery Agent 
> > is installed.
> > -- 
> > ENAS
> >
> >
> > "Miha Pihler" wrote:
> >
> >> You could give us some more information if you want specific answer. 
> >> First
> >> quite important information is is you computer part of domain or not?
> >>
> >> And please don't write in all capital letters. It's not polite and it's 
> >> hard
> >> to read.
> >>
> >> Mike
> >>
> >> "XDA974" <XDA974@discussions.microsoft.com> wrote in message
> >> news:4509A7BF-B151-4650-A00D-5492B0D7CFAB@microsoft.com...
> >> >I NEED ONE SPECIFIC ANSWER NOT THOSE FAQs! THEY DO NOT ANSWER MY 
> >> >QUESTION
> >> >ELOQUENTLY!!!!!!!!!!
> >> > -- 
> >> > ENAS
> >> >
> >> >
> >> > "Carey Frisch  [MVP]" wrote:
> >> >
> >> >> HOW TO: Remove File Encryption in Windows XP
> >> >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993
> >> >>
> >> >> Methods for Recovering Encrypted Data Files
> >> >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;255742
> >> >>
> >> >> -- 
> >> >> Carey Frisch
> >> >> Microsoft MVP
> >> >> Windows XP - Shell/User
> >> >>
> >> >> Be Smart!  Protect your PC!
> >> >> http://www.microsoft.com/security/protect/
> >> >>
> >> >> ---------------------------------------------------------------------------------------
> >> >>
> >> >> "XDA974" <XDA974@discussions.microsoft.com> wrote in message:
> >> >>  news:96B713C4-CB8B-44D4-A198-8CE403697949@microsoft.com...
> >> >>
> >> >> | Please provide me with a step-by-step solution not go to the FAQ and 
> >> >> go
> >> >> take a jump int he lake! I need to
> >> >> know how to include the Recovery Agent in the slot that shows the
> >> >> encryption details for a particular file.
> >> >> | For example in the upper window we see the User(s) who have 
> >> >> transparent
> >> >> access to the file and below it
> >> >> shows the Data Recovery Agent which can recover [decrypt] that file.
> >> >> | I need to know how I install this Recovery Agent. HOW IS THIS DONE?
> >> >> Step-by-step not a FAQ file that is
> >> >> chaotic and simply opens up another can of worms!
> >> >> | -- 
> >> >> | ENAS
> >> >>
> >> >>
> >>
> >>
> >> 
> 
> 
>

Relevant Pages

  • Re: Data Recovery Agent
    ... > Well you need a recovery agent. ... > If you want it to be administrator logon as administrator. ... > administrator has a certificate that will enable him EFS function. ... > administrator (e.g. create an empty text file and encrypt it; ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Data Recovery Agent
    ... Well you need a recovery agent. ... If you want it to be administrator logon as administrator. ... If there is a certificate Issued to: Administrator you can export it by ... administrator (e.g. create an empty text file and encrypt it; ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encryption
    ... Data Protection and Recovery in Windows XP ... i did encrypt some files. ... also i> tried to enter via the administrator "from safe mode" but> also the same.... ... > also when i try to make a recovery there's no> recovery/agent names and when pressing on "backup keys" a> msg appear says: the certificate or key is not available> for export on this machine. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: EFS File Share Help
    ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ...
    (microsoft.public.windows.server.sbs)
  • Re: Security flaw in how Outlook verifies digital signatures
    ... > Security Flaw with Digital signatures in Microsoft Outlook - ... > Emails in Microsoft Outlook digitally signed with S/MIME using either ... > a commercial personal certificate like Verisign or using a certificate ... whom the certificate was assigned that used it to sign or encrypt the ...
    (microsoft.public.outlook)