data recovery agent can't access encrypted files

[terry b]

HELLO, HELLO
( Judging by the number of posts regarding WindowsXP Encryption File
System, I'm not the only user who's much frustrated...)
I've spent a couple of hours reading articles & posts about 'How to Create a
Data Recovery Agent', and have followed the steps (used cmd-prompt and
"cipher /r:<filename>", created .cer and .pfx files, logged on as the user
who encrypts the files and opened the mmc console and imported the .pfx file
into Certificates, etc.) In fact, the certificates show up just fine in the
mmc file's 'Certificates>Local Computer>Personal & Trusted Root
Certification Authorities', so why when I log in as the DRA and try to open
the encrypted files, do I still get an 'Access Denied' message? In fact,
I've imported the Administrator's ( the user I'd like to set as DRA)
certificates into about 6 different branches in the mmc console, and also
I've gone into Group Policy>Windows Settings>Security Settings>Public Key
Policies, right-clicked and chosen 'Add Data Recovery Agent', and imported
the certificates there also.
What in the Sam Hill is the hangup? Is there some basic Group Policy setting
relevant to small networks (the unit I'm trying to set up the DRA on is host
for a WLAN) that isn't enabled, that needs to be?
Anybody got any idea what's being missed?
Thankx in advance for any relevant suggestions!

terry b.

 

[Jupiter Jones [MVP]]

Terry;
It almost sounds like you are creating a DRA after access is lost?
If so, it is not possible since the DRA needs to be determined while
you still have access.
Nothing can be created after access is lost.
At that point it is to late.
Most of the EFS issues posted here involve lost access when none of
the proper advance steps are taken.

If that is not the case, step 3 on this link may help:
http://www3.telus.net/dandemar/encrypt.htm

 

[terry b]

Hello, Jupiter Jones
Thanks for taking the time to respond....
As far as "creating the DRA after access is lost", I am going through the
steps to create said agent, and then creating, saving & encrypting the files
in question, so I don't think I've got my sequence wrong.
Check this out: If I right-click on one of the encrypted files in
question, click on Properties>Advanced>Details, it brings up the "Encryption
Details" window, and in the "Recovery Agent Name" field, there's the name
Administrator, just like it should be. And I STILL can't unencrypt &/or open
the files while logged in as the DRA/Administrator.

Any further ideas???

terry b.
Evans, CO.

 

[Guest]

When you log onto the user's computer as the DRA, are you importing the .pfx
file with the "File Recovery" certificate/key (the same one that's in your
EFS policy) into the MMC/Personal certificate store before accessing the
user's encrypted file? When EFS gives "Access is denied," it's usually
because there's no private key available to decrypt/open the file.

Thanks.
Pat

Hello, Jupiter Jones
Thanks for taking the time to respond....
As far as "creating the DRA after access is lost", I am going through the
steps to create said agent, and then creating, saving & encrypting the files
in question, so I don't think I've got my sequence wrong.
Check this out: If I right-click on one of the encrypted files in
question, click on Properties>Advanced>Details, it brings up the "Encryption
Details" window, and in the "Recovery Agent Name" field, there's the name
Administrator, just like it should be. And I STILL can't unencrypt &/or open
the files while logged in as the DRA/Administrator.

Any further ideas???

terry b.
Evans, CO.