Need assistance getting Data Recovery Agent to work

I am trying to create and test a Data Recovery Agent and get to the point of
trying to decrypt the file from the Recovery Agent's account (Administrator)
and the system is denying me access. I'm running XPProSP2 in a workgroup.
First, as Administrator, I created the File Recovery certificate using cipher
and imported it into Public Key Policies using the Group Manager snap-in. I
also added it to the Trusted Root Certification Authorities using the
Certificate Manager snap-in (although I'm not sure this step is needed).
Next, I logged in as a Limited User and created a "hello world" file and
copied it into an encrypted folder. I can access it fine as Limited User.
It's encryption details show that Limited User has transparent access and
Administrator is a Data Recovery Agent. However, when I log in as
Administrator and try to decrypt the file by unchecking the "Encrypt
contents.." check box, I get "Access Denied". I must be missing a step, but
I've scoured the help documentation to no avail. Does anyone have any ideas?
Thanks in advance! Regards, Ken Crocker

"kcrocker" wrote:
> I am trying to create and test a Data Recovery Agent and get to the point of
> trying to decrypt the file from the Recovery Agent's account (Administrator)
> and the system is denying me access. I'm running XPProSP2 in a workgroup.
> First, as Administrator, I created the File Recovery certificate using cipher
> and imported it into Public Key Policies using the Group Manager snap-in. I
> also added it to the Trusted Root Certification Authorities using the
> Certificate Manager snap-in (although I'm not sure this step is needed).
> Next, I logged in as a Limited User and created a "hello world" file and
> copied it into an encrypted folder. I can access it fine as Limited User.
> It's encryption details show that Limited User has transparent access and
> Administrator is a Data Recovery Agent. However, when I log in as
> Administrator and try to decrypt the file by unchecking the "Encrypt
> contents.." check box, I get "Access Denied". I must be missing a step, but
> I've scoured the help documentation to no avail. Does anyone have any ideas?
> Thanks in advance! Regards, Ken Crocker

I solved my own issue. Here's how. The key (pun intended, 'couldn't resist!)
is to import the DRA certificate into the "Certificates - Current
User:Personal:Certificates" store. You'll need to import the public _and_
private keys, ie. the .PFX file, not the .CER file, which only has the public
key. As alluded to in the above post, it turns out that it is not necessary
to include the certificate in the Trusted Root Certification Authorities
store. If is isn't included, you'll see a note on the certificate saying
"This CA Root certificate is not trusted" but it will still work.