On the computer where you created the EFS files that do not show a RA try
running rsop.msc and then look at the results [if any] under computer
configuration/windows settings/security settings/public key
policies/encrypted file system. Does anything [such as RA certificates] show
there? It should if that computer is in the scope of management of the Group
Policy that has the RAs configured which should be all computers if done at
the domain level and authenticated users have read and apply permissions to
the GPO as shown in the properties/security of the GPO. if certificates show
there are they valid as in that they have not expired as shown in valid from
dates on the general page? Group Policy settings can be forced to refresh
with the command gpupdate /force when run on the domain workstation. If
rsop.msc does not show the certificates and you feel that they should show
because of domain Group Policy configuration you may have a problem with DNS
configuration in your domain and to start with I would review the ADS DNS
FAQ at the link below to make sure your DNS is correct. It would also be a
good idea to run the support tool netdiag on the domain controllers and
domain workstation to see if any problems are found such as for dns, dc
discovery, domain membership, kerberos, and trust/secure channel. I would
also run gpotool on at least one domain controller [such as PDC fsmo] to see
if there is a problem with Group Policy replication or version umbers. ---
Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
message Hi Steven !
Thank you for your tips....
gpresult says, all policies applied successfully,
especially the EFS Recovery Policy
I checked the certificates twice, they are made out of a EFS Recovery
Template
i created a file and encrypted it 4 mins. ago, no RA is defined....
is there a possibility to reset the efs portion of windows xp that it
reloads gpo settings ?
We now have several users, who need their files recovered.....
bad situation
regards
daniel
:
Did running rsop.msc on that computer show the RA was defined by the
domain
GPO?? Possibly the file was encrypted before a RA was configured and has
not
been access since. Try opening the file to see if a RA shows after
closing
it or creating a new EFS file to see what shows. If that all fails then
maybe there is a problem with GP applying to the computer. Usually that
will
show as userenv errors/warning in the application log. The support tool
gpresult can also show what Group Policies are being applied to the
computer
and the last time they were applied. The certificates that you added to
the
domain GP need to be RA certificates when you view them. --- Steve
message Hi Steve !
Sorry, for misunderstood,
the domain group policy is defined, autoenrollment enabled, two
accounts
entered as recovery agents..
on the client all group policies are applied, but in the details of an
efs
encrypted file i still cannot see any RA ....
regards
Daniel
:
Just because you can not see it in Local Security Policy does not mean
that
it is not enabled as that just means there is nothing defined in Local
Security Policy. Run rsop.msc on a computer to see if it shows
configured
via your domain Group Policy and you can also examine the properties
of
an
EFS file in properties/advanced - details [or use efsinfo] to see if a
RA
is
associated with the EFS file. --- Steve
message Hi ms folks !
I'm a bit stressed, my users work with their efs certificates and do
a
lot
encrypting.
I now discovered, that if i look to encryption details of a file,
there
is
no RA displayed.
But i configured two accounts as RA 's
What can i do ?
Domain Policy is defined, configured.
when i look the the local security policy of a domain computer i
cannot
see
anything
= "no policy defined"
Pls. help !
thank you very much
Daniel
