Recovery Agent fails to recover Encrypted Data

  • Thread starter Thread starter sajid
  • Start date Start date
S

sajid

Hello Sir,

i installed CA on My domain controller. then i publish a
EFS Recovery Certificate for a user, then i go to Domain
security Policy and then Public Key Policy and then
Encrypted Data Recovery Agents and added that user as a
Recovery Agent (that user is also in domain admins group).
then i loged on with a administrator account and encrypt a
file. also encrypt a file with ordinary user, then i loged
on with Recovery Agent Account and tryed to decrypt those
files but Error "Access Denied"

where i m doing wrong. I think Recovery Agent should
Decrypt encryted files which are encryted after his
addition in Recovery Agent.
Please Help me

Thanks in Advance

Muhammad Sajid.
Lahore, Pakistan.
 
Hello Sir,

i installed CA on My domain controller. then i publish a
EFS Recovery Certificate for a user, then i go to Domain
security Policy and then Public Key Policy and then
Encrypted Data Recovery Agents and added that user as a
Recovery Agent (that user is also in domain admins group).
then i loged on with a administrator account and encrypt a
file. also encrypt a file with ordinary user, then i loged
on with Recovery Agent Account and tryed to decrypt those
files but Error "Access Denied"

where i m doing wrong. I think Recovery Agent should
Decrypt encryted files which are encryted after his
addition in Recovery Agent.
Please Help me

Thanks in Advance

Muhammad Sajid.
Lahore, Pakistan.
Hi Muhammad,

To verify who can open the encrypted file, use the EFSINFO.EXE command
from the WIndows 2000 Resource Kit. The EFSINFO /R /U /C command will
show you the thumbprints for both the User and Recovery Agent
certificates that can access the EFS encrypted file.

Ensure that you are performing the recovery attempt from the same
computer where you enrolled the EFS Recovery Certificate. The Private
key associated with the certificate only exists in that profile of the
administrator account. It is *not* the account that is the recovery
agent, it is the holder of the *private key* that can open the file as
the recovery agent.

You may have to import the private key onto a different computer to open
the file.

Please see the EFS whitepaper for more information:

http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/
default.asp

http://www.msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnsecure/html/WinNETSrvr-EncryptedFileSystem.asp
 
And the private key was generated on whichever machine the user enrolled for
the certificate.

I replied to this in greater length on another newsgroup.
 
Back
Top