F
Fuente
Background:
Internal Certificate Service running in a 3 tier hierarchy. Enterprise CA,
Subordinate CA, Exchange CA
Default Domain administrator and additional domain administrator have
requested and received EFS Recovery certificates and have been setup on the
default domain policy of Security Settings | Public Key Policies | Encrypted
Data Recovery Agents
Created a test file on a workstation by a test account with Domain User
rights. Encrypted the file successfully. In order to test the ability of the
Recovery Agents I performed the process described in "Encrypting File System
for Windows 2000" white paper but this does not work. From the Windows
Explorer I get message stating ""Access is Denied" Error Message When
Encrypting or Decrypting Files or Folders". I also tried going to the users
home directory with one of the accounts and attempted to decrypt the file
and this didn't work either.
TechNet Article 264064 seemed to address the issue but after applying the
solution, the problem was not resolved. (As a matter of fact, all the
"System Volume" Folders I inspected on my domain controllers has the System
account listed but none of the permission were checked except in one place
where full was checked on the boot partition of on domain controller.)
When I use the Efsinfo.exe utility the following results are displayed on
the file in question I have changed the domain name and accounts from to
generic names for privacy. The "Bob.Train" account is a test account.
NOC List.txt: Encrypted
Users who can decrypt:
My DOMAIN\Bob.Train (CN=Bob Train)
Recovery Agents:
Unknown (CN=Domain Administrator)
Unknown (CN=Default Domain Administrator)
I am concerned about the "Unknown" entries and am wondering if this is the
root of the problem. It doesn't appear that the Recovery Accounts are
getting the permission necessary to perform the function.
I want to make sure that I have the ability to recover encrypted files
before implementing this across the board. I have search many articles in
this forum on the subject as well as Microsoft and have yet to find a
solution. I would like any insight anyone would have in solving this.
Internal Certificate Service running in a 3 tier hierarchy. Enterprise CA,
Subordinate CA, Exchange CA
Default Domain administrator and additional domain administrator have
requested and received EFS Recovery certificates and have been setup on the
default domain policy of Security Settings | Public Key Policies | Encrypted
Data Recovery Agents
Created a test file on a workstation by a test account with Domain User
rights. Encrypted the file successfully. In order to test the ability of the
Recovery Agents I performed the process described in "Encrypting File System
for Windows 2000" white paper but this does not work. From the Windows
Explorer I get message stating ""Access is Denied" Error Message When
Encrypting or Decrypting Files or Folders". I also tried going to the users
home directory with one of the accounts and attempted to decrypt the file
and this didn't work either.
TechNet Article 264064 seemed to address the issue but after applying the
solution, the problem was not resolved. (As a matter of fact, all the
"System Volume" Folders I inspected on my domain controllers has the System
account listed but none of the permission were checked except in one place
where full was checked on the boot partition of on domain controller.)
When I use the Efsinfo.exe utility the following results are displayed on
the file in question I have changed the domain name and accounts from to
generic names for privacy. The "Bob.Train" account is a test account.
NOC List.txt: Encrypted
Users who can decrypt:
My DOMAIN\Bob.Train (CN=Bob Train)
Recovery Agents:
Unknown (CN=Domain Administrator)
Unknown (CN=Default Domain Administrator)
I am concerned about the "Unknown" entries and am wondering if this is the
root of the problem. It doesn't appear that the Recovery Accounts are
getting the permission necessary to perform the function.
I want to make sure that I have the ability to recover encrypted files
before implementing this across the board. I have search many articles in
this forum on the subject as well as Microsoft and have yet to find a
solution. I would like any insight anyone would have in solving this.