DRA cannont open EFS files

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
setup in the office and all XP are standalone workstations. I would like to
enable EFS on laptops. I understand XP does not have DRA setup by default so
I login as admin, create the .CER file and use MMC to set the admin as the
DRA. User can encrypt file and open the file even after password change.
However, when I login as admin and tried to open the EFS file by another
user, I got "access denied" error. When I use Windows Explorer to view the
properties of the file, it said admin is the recovery agent name. The thumb
print# is same as the admin certificate under MMC > Certificate > Personal >
admin.cer file.

In Window 2000 workstation, I used to able to login as admin and open the
EFS file encrypted by all users on the machine.

Am I missing other steps?

Thanks
Che
 
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

It sounds like you have the certificate, but not the private key, installed
in your Personal certificates store. The .CER file is just the certificate.
You need the .PFX file which is the certificate and the private key. (The
private key is used to open/decrypt files.)

If you used "cipher /r" to create the recovery certificate, it created a
..CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
and it will launch the Certificate Import Wizard. The wizard will
automatically install the certificate with key into your Personal
certificates store. (Select the option in the wizard to make the key
exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
for safe-keeping.

Thanks.
Pat

"Che" wrote:

> I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> setup in the office and all XP are standalone workstations. I would like to
> enable EFS on laptops. I understand XP does not have DRA setup by default so
> I login as admin, create the .CER file and use MMC to set the admin as the
> DRA. User can encrypt file and open the file even after password change.
> However, when I login as admin and tried to open the EFS file by another
> user, I got "access denied" error. When I use Windows Explorer to view the
> properties of the file, it said admin is the recovery agent name. The thumb
> print# is same as the admin certificate under MMC > Certificate > Personal >
> admin.cer file.
>
> In Window 2000 workstation, I used to able to login as admin and open the
> EFS file encrypted by all users on the machine.
>
> Am I missing other steps?
>
> Thanks
> Che
 
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Actually I have the admin .PFX file imported in the Personal Certificate.
Rebooted the machine before encrypt the file and I still cannot open the EFS
that admin is said to be the DRA.

So if a user leaves or forgets the password, how could IT open the EFS files?

Let me know if you need more information.

Thanks
Che

"Pat Hoffer [MSFT]" wrote:

> It sounds like you have the certificate, but not the private key, installed
> in your Personal certificates store. The .CER file is just the certificate.
> You need the .PFX file which is the certificate and the private key. (The
> private key is used to open/decrypt files.)
>
> If you used "cipher /r" to create the recovery certificate, it created a
> .CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
> and it will launch the Certificate Import Wizard. The wizard will
> automatically install the certificate with key into your Personal
> certificates store. (Select the option in the wizard to make the key
> exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
> for safe-keeping.
>
> Thanks.
> Pat
>
> "Che" wrote:
>
> > I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> > setup in the office and all XP are standalone workstations. I would like to
> > enable EFS on laptops. I understand XP does not have DRA setup by default so
> > I login as admin, create the .CER file and use MMC to set the admin as the
> > DRA. User can encrypt file and open the file even after password change.
> > However, when I login as admin and tried to open the EFS file by another
> > user, I got "access denied" error. When I use Windows Explorer to view the
> > properties of the file, it said admin is the recovery agent name. The thumb
> > print# is same as the admin certificate under MMC > Certificate > Personal >
> > admin.cer file.
> >
> > In Window 2000 workstation, I used to able to login as admin and open the
> > EFS file encrypted by all users on the machine.
> >
> > Am I missing other steps?
> >
> > Thanks
> > Che
 
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Check the following:
1. Confirm the DRA certificate applied to the file. (I'm assuming you've
added this certificate to group policy on the machine.) Log onto the machine
as the Admin who is the DRA. Open the encrypted file's properties, click
Advanced > Details, and note the certificate thumbprint of the data recovery
agent that applied to the file. Then run certmgr.msc to open your Personal
Certificates store, open your DRA certificate to the Details page, and scroll
down to see the thumbprint. This should match the DRA thumbprint on the file.
2. Confirm the admin who is DRA has NTFS permissions on the file. To open
the file, you must have at least READ permission; to decrypt the file, you
must have at least WRITE permission.

Thanks.
Pat

"Che" wrote:

> Actually I have the admin .PFX file imported in the Personal Certificate.
> Rebooted the machine before encrypt the file and I still cannot open the EFS
> that admin is said to be the DRA.
>
> So if a user leaves or forgets the password, how could IT open the EFS files?
>
> Let me know if you need more information.
>
> Thanks
> Che
>
> "Pat Hoffer [MSFT]" wrote:
>
> > It sounds like you have the certificate, but not the private key, installed
> > in your Personal certificates store. The .CER file is just the certificate.
> > You need the .PFX file which is the certificate and the private key. (The
> > private key is used to open/decrypt files.)
> >
> > If you used "cipher /r" to create the recovery certificate, it created a
> > .CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
> > and it will launch the Certificate Import Wizard. The wizard will
> > automatically install the certificate with key into your Personal
> > certificates store. (Select the option in the wizard to make the key
> > exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
> > for safe-keeping.
> >
> > Thanks.
> > Pat
> >
> > "Che" wrote:
> >
> > > I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> > > setup in the office and all XP are standalone workstations. I would like to
> > > enable EFS on laptops. I understand XP does not have DRA setup by default so
> > > I login as admin, create the .CER file and use MMC to set the admin as the
> > > DRA. User can encrypt file and open the file even after password change.
> > > However, when I login as admin and tried to open the EFS file by another
> > > user, I got "access denied" error. When I use Windows Explorer to view the
> > > properties of the file, it said admin is the recovery agent name. The thumb
> > > print# is same as the admin certificate under MMC > Certificate > Personal >
> > > admin.cer file.
> > >
> > > In Window 2000 workstation, I used to able to login as admin and open the
> > > EFS file encrypted by all users on the machine.
> > >
> > > Am I missing other steps?
> > >
> > > Thanks
> > > Che
 
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Pat:

I login as admin and ran certmgr.msc. In Personal > Certificate folder, I
have 2 certificates for admin. One with intended purpose="Encrypting File
System" and the other is "File Recovery". Looked at the admin File Recovery
ceritficate and the thumbprint # matched the # from the properties of the EFS
file.

Am I run into this before I don't have active directory setup?

Thanks again.

Che

"Pat Hoffer [MSFT]" wrote:

> Check the following:
> 1. Confirm the DRA certificate applied to the file. (I'm assuming you've
> added this certificate to group policy on the machine.) Log onto the machine
> as the Admin who is the DRA. Open the encrypted file's properties, click
> Advanced > Details, and note the certificate thumbprint of the data recovery
> agent that applied to the file. Then run certmgr.msc to open your Personal
> Certificates store, open your DRA certificate to the Details page, and scroll
> down to see the thumbprint. This should match the DRA thumbprint on the file.
> 2. Confirm the admin who is DRA has NTFS permissions on the file. To open
> the file, you must have at least READ permission; to decrypt the file, you
> must have at least WRITE permission.
>
> Thanks.
> Pat
>
> "Che" wrote:
>
> > Actually I have the admin .PFX file imported in the Personal Certificate.
> > Rebooted the machine before encrypt the file and I still cannot open the EFS
> > that admin is said to be the DRA.
> >
> > So if a user leaves or forgets the password, how could IT open the EFS files?
> >
> > Let me know if you need more information.
> >
> > Thanks
> > Che
> >
> > "Pat Hoffer [MSFT]" wrote:
> >
> > > It sounds like you have the certificate, but not the private key, installed
> > > in your Personal certificates store. The .CER file is just the certificate.
> > > You need the .PFX file which is the certificate and the private key. (The
> > > private key is used to open/decrypt files.)
> > >
> > > If you used "cipher /r" to create the recovery certificate, it created a
> > > .CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
> > > and it will launch the Certificate Import Wizard. The wizard will
> > > automatically install the certificate with key into your Personal
> > > certificates store. (Select the option in the wizard to make the key
> > > exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
> > > for safe-keeping.
> > >
> > > Thanks.
> > > Pat
> > >
> > > "Che" wrote:
> > >
> > > > I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> > > > setup in the office and all XP are standalone workstations. I would like to
> > > > enable EFS on laptops. I understand XP does not have DRA setup by default so
> > > > I login as admin, create the .CER file and use MMC to set the admin as the
> > > > DRA. User can encrypt file and open the file even after password change.
> > > > However, when I login as admin and tried to open the EFS file by another
> > > > user, I got "access denied" error. When I use Windows Explorer to view the
> > > > properties of the file, it said admin is the recovery agent name. The thumb
> > > > print# is same as the admin certificate under MMC > Certificate > Personal >
> > > > admin.cer file.
> > > >
> > > > In Window 2000 workstation, I used to able to login as admin and open the
> > > > EFS file encrypted by all users on the machine.
> > > >
> > > > Am I missing other steps?
> > > >
> > > > Thanks
> > > > Che
 
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Forgot to add the NTFS right, admin has full control access to the folder.
Tried on a different drive & folder and got the same error.

Thanks
Che

"Pat Hoffer [MSFT]" wrote:

> Check the following:
> 1. Confirm the DRA certificate applied to the file. (I'm assuming you've
> added this certificate to group policy on the machine.) Log onto the machine
> as the Admin who is the DRA. Open the encrypted file's properties, click
> Advanced > Details, and note the certificate thumbprint of the data recovery
> agent that applied to the file. Then run certmgr.msc to open your Personal
> Certificates store, open your DRA certificate to the Details page, and scroll
> down to see the thumbprint. This should match the DRA thumbprint on the file.
> 2. Confirm the admin who is DRA has NTFS permissions on the file. To open
> the file, you must have at least READ permission; to decrypt the file, you
> must have at least WRITE permission.
>
> Thanks.
> Pat
>
> "Che" wrote:
>
> > Actually I have the admin .PFX file imported in the Personal Certificate.
> > Rebooted the machine before encrypt the file and I still cannot open the EFS
> > that admin is said to be the DRA.
> >
> > So if a user leaves or forgets the password, how could IT open the EFS files?
> >
> > Let me know if you need more information.
> >
> > Thanks
> > Che
> >
> > "Pat Hoffer [MSFT]" wrote:
> >
> > > It sounds like you have the certificate, but not the private key, installed
> > > in your Personal certificates store. The .CER file is just the certificate.
> > > You need the .PFX file which is the certificate and the private key. (The
> > > private key is used to open/decrypt files.)
> > >
> > > If you used "cipher /r" to create the recovery certificate, it created a
> > > .CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
> > > and it will launch the Certificate Import Wizard. The wizard will
> > > automatically install the certificate with key into your Personal
> > > certificates store. (Select the option in the wizard to make the key
> > > exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
> > > for safe-keeping.
> > >
> > > Thanks.
> > > Pat
> > >
> > > "Che" wrote:
> > >
> > > > I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> > > > setup in the office and all XP are standalone workstations. I would like to
> > > > enable EFS on laptops. I understand XP does not have DRA setup by default so
> > > > I login as admin, create the .CER file and use MMC to set the admin as the
> > > > DRA. User can encrypt file and open the file even after password change.
> > > > However, when I login as admin and tried to open the EFS file by another
> > > > user, I got "access denied" error. When I use Windows Explorer to view the
> > > > properties of the file, it said admin is the recovery agent name. The thumb
> > > > print# is same as the admin certificate under MMC > Certificate > Personal >
> > > > admin.cer file.
> > > >
> > > > In Window 2000 workstation, I used to able to login as admin and open the
> > > > EFS file encrypted by all users on the machine.
> > > >
> > > > Am I missing other steps?
> > > >
> > > > Thanks
> > > > Che
 
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Well, you've stumped me. Everything seems to be in order:
1. Your File Recovery cert applied to the file.
2. You have Full Control to the file.
3. You are logged onto the machine where the file lives and have the File
Recovery cert/key in your Personal certificates store.
There's something missing. Sorry I can't figure it out. Please let me know
if you do. Maybe you can find the answer in one of these:

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp (Scroll down to "Taking Recovery Precautions.")

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Thanks.
Pat

"Che" wrote:

> Forgot to add the NTFS right, admin has full control access to the folder.
> Tried on a different drive & folder and got the same error.
>
> Thanks
> Che
>
> "Pat Hoffer [MSFT]" wrote:
>
> > Check the following:
> > 1. Confirm the DRA certificate applied to the file. (I'm assuming you've
> > added this certificate to group policy on the machine.) Log onto the machine
> > as the Admin who is the DRA. Open the encrypted file's properties, click
> > Advanced > Details, and note the certificate thumbprint of the data recovery
> > agent that applied to the file. Then run certmgr.msc to open your Personal
> > Certificates store, open your DRA certificate to the Details page, and scroll
> > down to see the thumbprint. This should match the DRA thumbprint on the file.
> > 2. Confirm the admin who is DRA has NTFS permissions on the file. To open
> > the file, you must have at least READ permission; to decrypt the file, you
> > must have at least WRITE permission.
> >
> > Thanks.
> > Pat
> >
> > "Che" wrote:
> >
> > > Actually I have the admin .PFX file imported in the Personal Certificate.
> > > Rebooted the machine before encrypt the file and I still cannot open the EFS
> > > that admin is said to be the DRA.
> > >
> > > So if a user leaves or forgets the password, how could IT open the EFS files?
> > >
> > > Let me know if you need more information.
> > >
> > > Thanks
> > > Che
> > >
> > > "Pat Hoffer [MSFT]" wrote:
> > >
> > > > It sounds like you have the certificate, but not the private key, installed
> > > > in your Personal certificates store. The .CER file is just the certificate.
> > > > You need the .PFX file which is the certificate and the private key. (The
> > > > private key is used to open/decrypt files.)
> > > >
> > > > If you used "cipher /r" to create the recovery certificate, it created a
> > > > .CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
> > > > and it will launch the Certificate Import Wizard. The wizard will
> > > > automatically install the certificate with key into your Personal
> > > > certificates store. (Select the option in the wizard to make the key
> > > > exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
> > > > for safe-keeping.
> > > >
> > > > Thanks.
> > > > Pat
> > > >
> > > > "Che" wrote:
> > > >
> > > > > I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> > > > > setup in the office and all XP are standalone workstations. I would like to
> > > > > enable EFS on laptops. I understand XP does not have DRA setup by default so
> > > > > I login as admin, create the .CER file and use MMC to set the admin as the
> > > > > DRA. User can encrypt file and open the file even after password change.
> > > > > However, when I login as admin and tried to open the EFS file by another
> > > > > user, I got "access denied" error. When I use Windows Explorer to view the
> > > > > properties of the file, it said admin is the recovery agent name. The thumb
> > > > > print# is same as the admin certificate under MMC > Certificate > Personal >
> > > > > admin.cer file.
> > > > >
> > > > > In Window 2000 workstation, I used to able to login as admin and open the
> > > > > EFS file encrypted by all users on the machine.
> > > > >
> > > > > Am I missing other steps?
> > > > >
> > > > > Thanks
> > > > > Che
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom