RE: EFS files without recovery agent

TheMSsForum.com: The Microsoft Software Forum

Hi Roger,

To create and link group policy I have follow the usual steps. Open
gpmc.msc click on company.com domain and select "Create and link GPO
here...".
Then create Recovery agent with certificate from enterprise CA, I have
also add Enterprise CA certificate to the "trusted root certification
authority".
Than make sure that Group policy has been applied on client
workstations and file server.
Enable "Trust computer for delegation" on file server.

One more thing that may be related to the problem:
Before we had recovery agent configured on "Default Domain Group
Policy" with outdated certificate. I deleted that recovery agent (we
did not have any encrypted files on the network), and then created a
new policy that was described above.

I think it is a pretty standard procedure that's why I have referred to
this as "enable on domain level" and "link it to the domain".

Yuriy
Top

Re: EFS files without recovery agent by Roger

Roger
Thu Sep 14 09:40:46 CDT 2006

OK, just checking, rather than assuming, what steps you have taken.
In what you have just now posted, you did not state explicitly that
the Recovery Agent cert was added into the group policy, but only
> Then create Recovery agent with certificate from enterprise CA,
> I have also add Enterprise CA certificate to the "trusted root
> certification authority".
It is the adding of the recovery agent cert that I did want to confirm
has been done, as seems likely from what you have (nearly) now
said, i.e. the the DRA cert was named in the Encrypted File System
policy under Computer section's Public Key Policy (which is under
Windows Settings\Security Settings)

Also, using
> Enable "Trust computer for delegation" on file server.
is not a normal step, and should be unneeded unless due to other
things you have happening.

At this point I would verify that the domain linked GPO that carries
the Public Key Policy\Encrypted File System setting does have its
computer section enabled and has not had its security group filtering
modified (so it is still applied to Authenticated Users). Then, following
Steves suggestion, use RSoP to make sure that the GPO is being
applied (although do not expect to see it showing the details for the
EFS policy, just make sure the GPO is shown as being processed).



"Yuriy" <nepyyvoda@gmail.com> wrote in message
news:1158224937.561460.174170@i42g2000cwa.googlegroups.com...
> Hi Roger,
>
> To create and link group policy I have follow the usual steps. Open
> gpmc.msc click on company.com domain and select "Create and link GPO
> here...".
> Then create Recovery agent with certificate from enterprise CA, I have
> also add Enterprise CA certificate to the "trusted root certification
> authority".
> Than make sure that Group policy has been applied on client
> workstations and file server.
> Enable "Trust computer for delegation" on file server.
>
> One more thing that may be related to the problem:
> Before we had recovery agent configured on "Default Domain Group
> Policy" with outdated certificate. I deleted that recovery agent (we
> did not have any encrypted files on the network), and then created a
> new policy that was described above.
>
> I think it is a pretty standard procedure that's why I have referred to
> this as "enable on domain level" and "link it to the domain".
>
> Yuriy
>


Top

Re: EFS files without recovery agent by Yuriy

Yuriy
Thu Sep 14 11:40:33 CDT 2006

Hi Roger,

Thanks again for your reply.
You are right in your assumption. Recovery agent was created under
Encrypted File System policy under Computer section's Public Key Policy
(which is under Windows Settings\Security Settings). And because it was
created from Group Policy Object Editor certificate intend purpose is
File Recovery.
All of the GPO settings left default which means that Security
Filtering includes only authenticated users and computer section of
group policy is enabled.
To verify this settings been applied I used RSoP.
> > Enable "Trust computer for delegation" on file server.
I have mention this as it is required if we need to use EFS on file
server from workstations. Although it is not an issue, as a files
encrypted on workstations are also des not have a recovery agent.

Furthermore, windows XP does not allow you to encrypt a file if
computer is joined to domain and recovery policy is not configured.
That makes me think that policy has been applied.

But the question is still remains open. Why I cannot se recovery agent
in "Data Recovery Agents for This File as defined by Recovery Policy"
list?

Yuriy


Roger Abell [MVP] wrote:
> OK, just checking, rather than assuming, what steps you have taken.
> In what you have just now posted, you did not state explicitly that
> the Recovery Agent cert was added into the group policy, but only
> > Then create Recovery agent with certificate from enterprise CA,
> > I have also add Enterprise CA certificate to the "trusted root
> > certification authority".
> It is the adding of the recovery agent cert that I did want to confirm
> has been done, as seems likely from what you have (nearly) now
> said, i.e. the the DRA cert was named in the Encrypted File System
> policy under Computer section's Public Key Policy (which is under
> Windows Settings\Security Settings)
>
> Also, using
> > Enable "Trust computer for delegation" on file server.
> is not a normal step, and should be unneeded unless due to other
> things you have happening.
>
> At this point I would verify that the domain linked GPO that carries
> the Public Key Policy\Encrypted File System setting does have its
> computer section enabled and has not had its security group filtering
> modified (so it is still applied to Authenticated Users). Then, following
> Steves suggestion, use RSoP to make sure that the GPO is being
> applied (although do not expect to see it showing the details for the
> EFS policy, just make sure the GPO is shown as being processed).
>
>
>
> "Yuriy" <nepyyvoda@gmail.com> wrote in message
> news:1158224937.561460.174170@i42g2000cwa.googlegroups.com...
> > Hi Roger,
> >
> > To create and link group policy I have follow the usual steps. Open
> > gpmc.msc click on company.com domain and select "Create and link GPO
> > here...".
> > Then create Recovery agent with certificate from enterprise CA, I have
> > also add Enterprise CA certificate to the "trusted root certification
> > authority".
> > Than make sure that Group policy has been applied on client
> > workstations and file server.
> > Enable "Trust computer for delegation" on file server.
> >
> > One more thing that may be related to the problem:
> > Before we had recovery agent configured on "Default Domain Group
> > Policy" with outdated certificate. I deleted that recovery agent (we
> > did not have any encrypted files on the network), and then created a
> > new policy that was described above.
> >
> > I think it is a pretty standard procedure that's why I have referred to
> > this as "enable on domain level" and "link it to the domain".
> >
> > Yuriy
> >

Top

Re: EFS files without recovery agent by Roger

Roger
Thu Sep 14 18:59:23 CDT 2006

"Yuriy" <nepyyvoda@gmail.com> wrote in message
news:1158252033.740937.61540@b28g2000cwb.googlegroups.com...
> Hi Roger,
>
> Thanks again for your reply.
> You are right in your assumption. Recovery agent was created under
> Encrypted File System policy under Computer section's Public Key Policy
> (which is under Windows Settings\Security Settings). And because it was
> created from Group Policy Object Editor certificate intend purpose is
> File Recovery.
> All of the GPO settings left default which means that Security
> Filtering includes only authenticated users and computer section of
> group policy is enabled.
> To verify this settings been applied I used RSoP.
>> > Enable "Trust computer for delegation" on file server.
> I have mention this as it is required if we need to use EFS on file
> server from workstations. Although it is not an issue, as a files
> encrypted on workstations are also des not have a recovery agent.
>
> Furthermore, windows XP does not allow you to encrypt a file if
> computer is joined to domain and recovery policy is not configured.
> That makes me think that policy has been applied.
>
> But the question is still remains open. Why I cannot se recovery agent
> in "Data Recovery Agents for This File as defined by Recovery Policy"
> list?
>
> Yuriy
>

I guess we have been assuming that you are looking at a
freshly encrypted, or at least opened and resaved, EFS
encrypted file. The DRA will not get listed in the file's
header until it has been touch, such as by above or by
use of crypt utility.

Have you also looked at one of these files with the
efsinfo utility (I think that is from the Support Tools)

>
> Roger Abell [MVP] wrote:
>> OK, just checking, rather than assuming, what steps you have taken.
>> In what you have just now posted, you did not state explicitly that
>> the Recovery Agent cert was added into the group policy, but only
>> > Then create Recovery agent with certificate from enterprise CA,
>> > I have also add Enterprise CA certificate to the "trusted root
>> > certification authority".
>> It is the adding of the recovery agent cert that I did want to confirm
>> has been done, as seems likely from what you have (nearly) now
>> said, i.e. the the DRA cert was named in the Encrypted File System
>> policy under Computer section's Public Key Policy (which is under
>> Windows Settings\Security Settings)
>>
>> Also, using
>> > Enable "Trust computer for delegation" on file server.
>> is not a normal step, and should be unneeded unless due to other
>> things you have happening.
>>
>> At this point I would verify that the domain linked GPO that carries
>> the Public Key Policy\Encrypted File System setting does have its
>> computer section enabled and has not had its security group filtering
>> modified (so it is still applied to Authenticated Users). Then,
>> following
>> Steves suggestion, use RSoP to make sure that the GPO is being
>> applied (although do not expect to see it showing the details for the
>> EFS policy, just make sure the GPO is shown as being processed).
>>
>>
>>
>> "Yuriy" <nepyyvoda@gmail.com> wrote in message
>> news:1158224937.561460.174170@i42g2000cwa.googlegroups.com...
>> > Hi Roger,
>> >
>> > To create and link group policy I have follow the usual steps. Open
>> > gpmc.msc click on company.com domain and select "Create and link GPO
>> > here...".
>> > Then create Recovery agent with certificate from enterprise CA, I have
>> > also add Enterprise CA certificate to the "trusted root certification
>> > authority".
>> > Than make sure that Group policy has been applied on client
>> > workstations and file server.
>> > Enable "Trust computer for delegation" on file server.
>> >
>> > One more thing that may be related to the problem:
>> > Before we had recovery agent configured on "Default Domain Group
>> > Policy" with outdated certificate. I deleted that recovery agent (we
>> > did not have any encrypted files on the network), and then created a
>> > new policy that was described above.
>> >
>> > I think it is a pretty standard procedure that's why I have referred to
>> > this as "enable on domain level" and "link it to the domain".
>> >
>> > Yuriy
>> >
>


Top