Archived from groups: microsoft.public.win2000.security (
More info?)
"Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
> When a user encrypts a file remotely on a server, the EFS certificate/key
is
> generated for the user on the server. (A profile is created for the user
on
> the server and the certificate/key are stored in that profile.)
The above is inaccurate or misleading at best.
A roaming profile might be created
on SOME server if you set it up that way, but the location of
the roaming profile is totally unrelated to the file server where
the user encrypts files.
If they happen to be the same server that is merely an accident
and never automatic (admin must setup for roaming profiles.)
> If you want
> to back up that certificate/key, you would have to log onto the server as
the
> user in order to access the profile data.
Login as the user is correct but you could logon from any machine
in the domain (trust relationship actually) where the profile was
available.
> (The certificate/private key can
> only be backed up from the Certificates > Personal store for that user.)
If
> you configure your user to have a roaming profile, the server will use the
> EFS certificate/key from the roaming profile (or generate a
certificate/key
> for that profile if it has none).
Actually this is the profile that will store the users file keys.
There is no separate profile just because of EFS.
> The user will then be able to access the
> same certificate/key from their roaming profile on their workstations and
> back them up there.
Are you saying a user with a non-roaming profile will actually
have a server specific certificate stored on that particular server?
Do you have a reference for this behavior...?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
> Thanks.
> Pat
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Roland Hübner" wrote:
>
> > Hallo,
> > I have installated on my Windows 2000 Server a "Enterprice root CA".
> > I open the mmc on a Workstation with the Certificate Snap-In. I select
> > "Certificate Manager" then "Active Directoy User Opject". Now, appears
my
> > Certificate of efs.
> > If I want to export this certificate then I cannot to select the private
Key.
> > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
> > under "Personal" my own certificate of efs, I open the "Internet
explorer"
> > and my address of Root CA, for excample: http://servername/certsrv. I
create
> > a certificate of efs with a "private Key" that can I export. Problem: If
I
> > create a File on the Server und encryption this file, then will
encrytion
> > this file with Certifivate under "Active Directory User Opject.
> > Why? Can I configure the CA, that takes my own Certificate?
> > Or, Can I of Administrator to create a Certificate with a "private key"
of
> > export and this is available on the Domäne? Or I must delete the
EFS-Template?
> > Thank you!
> >
> > "Roland Hübner" schrieb:
> >
> > > Hallo,
> > > I have a Windows 2000 Server with Active Directory and 10 Clients.
Now, I
> > > want to Data encryption on the Server. I have installed on a Windwos
2000
> > > Server a CA. A User from a Workstation can encryption a File, this is
ok. The
> > > User allocate gets the Certificate.
> > > Therewith, the System very safely the User want to safe the private
key on
> > > a Disk.
> > > But, I cannot export the private key. This function cannot selected.
> > > What can I do, at the Private key to export?