S
Steven L Umbach
Comments inline.
That is only the case if the user still has his EFS private key in his user
profile. The problem is if the user ever loses access to his private key due
to
corruption of his user profile, deleting his user profile, forgetting his
password on a non domain computer, or reinstalling the operating system to a
formatted system drive then the user has lost permanent access to his EFS
files unless a RA had been previously configured [assumimng no other user
could decrypt the files, he did not backup his private key to a password
protected .pfx file, their was not a backup of his user profile that
contained his EFS private key, or as a domain user his EFS private key was
not archived].
That is standard operating procedure when a RA has been defined in the
security policy of the computer assuming the user has his EFS private key
in his user profile/certificate store though cipher /u is best practice to
make sure all files have been updated with new RA.
Again that is normal with the key being that you logged on as the user that
encrypted the EFS files with his EFS private key in his profile and the
RA was configured in security policy before you logged on as the RA
ain. --- Steve
DJ said:Ok, i'm understanding what your saying, but...
This is why I think you really never have to create a DRA before you start
encrypting files. You can create that DRA way after the fact (after you've
encrypted 10,000 files) and that same DRA will decrypt everyone of them
with
no problems.
That is only the case if the user still has his EFS private key in his user
profile. The problem is if the user ever loses access to his private key due
to
corruption of his user profile, deleting his user profile, forgetting his
password on a non domain computer, or reinstalling the operating system to a
formatted system drive then the user has lost permanent access to his EFS
files unless a RA had been previously configured [assumimng no other user
could decrypt the files, he did not backup his private key to a password
protected .pfx file, their was not a backup of his user profile that
contained his EFS private key, or as a domain user his EFS private key was
not archived].
Because if you follow what i'm saying in a "test lab" and you encrypt
files
under a user account, then create a DRA, logoff the Administrator once the
DRA is implemented, Logon as the user that encypted the files, then logoff
as
the user, log back on as Administrator, you can decrypt every pre-DRA
encrypted file that was encrypted by the user.
That is standard operating procedure when a RA has been defined in the
security policy of the computer assuming the user has his EFS private key
in his user profile/certificate store though cipher /u is best practice to
make sure all files have been updated with new RA.
Remember something...before the first logoff as Administrator (after the
DRA
is implemented), you cannot decrypt anything, but once you logon for the
second time as Administrator, you can copy or open any pre-DRA encrypted
file
that you want.
Again that is normal with the key being that you logged on as the user that
encrypted the EFS files with his EFS private key in his profile and the
RA was configured in security policy before you logged on as the RA
ain. --- Steve