EFS Data Recovery not working as expected

[Leo Cruz]

I've recently setup EFS for an enterprise network and everything is working
great, except decryption. I've created a custom group policy, setup and
enterprise CA, and everything seems to be working well. When i attempt to
recover data as the DRA, i'm getting access denied and cannot figure out the
cause. If this is the correct forum to post this in, let me know and I'll go
through an exhaustive explanation of the setup. If this is not the correct
forum, please let me know where i should post this. Thanks.

 

[Colin Barnhorst]

This is a newsgroup for XP only. I think what you want is one of the many
Windows Server newsgroups. I suggest you start with
microsoft.public.windows.server.general and the gurus there can further
direct you as needed.

 

[Leo Cruz]

I will post in there as well, but the affected machines are all XP machines;
we have not begun to deploy Vista yet. The infrastructure is all in place,
and i'm sure I'm overlooking something simple. Let me know if I should
abandon this post. THanks.

 

[GreenieLeBrun]

I've recently setup EFS for an enterprise network and everything is
working great, except decryption. I've created a custom group policy,
setup and enterprise CA, and everything seems to be working well.
When i attempt to recover data as the DRA, i'm getting access denied
and cannot figure out the cause. If this is the correct forum to post
this in, let me know and I'll go through an exhaustive explanation of
the setup. If this is not the correct forum, please let me know where
i should post this. Thanks.

I don't use EFS but you may find some help in the attached links :-

The Encrypting File System
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/en-us

How to back up the recovery agent Encrypting File System (EFS) private key
in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

How To Encrypt a Folder in Windows XP
http://support.microsoft.com/?id=308989

How To Remove File Encryption in Windows XP
http://support.microsoft.com/?id=308993

How To Encrypt a File in Windows XP
http://support.microsoft.com/?id=307877

HOW TO: Share Access to an Encrypted File in Windows XP
http://support.microsoft.com/?id=308991

Advanced EFS Data recovery
http://www.crackpassword.com/products/prs/mswin/efs/

 

[Leo Cruz]

Thank you for your reply. Believe me when I tell you that I have read all
Microsoft and most non-microspft articles on EFS. I have googled "EFS" and
read at least 2 pages worth of searches; nothing explaining the problem I am
having. Probably something trvial, but I cannot figure it out. Essentially, I
have a CA setup as an enterprise CA issuing certificates to users
automatically. a group policy was created with group filtering for specific
machines that we want EFS to be used on regardless of who logs in. A test
user logs in, they get a certificate from CA and DRA listed as agent able to
recover data, NOT domain administrator (microsoft best practice). The
thumbprint for the DRA on the encrypted file matches the thumbprint of the
DRA's file recovery certificate on the certicate server. I log into the CA as
the DRA and export the private key into pfx format. I log into the machine
that I want to recover data for as the DRA, import the private key, try to
decrypt data, access denied. I'm stumped and Microsoft's explanation of using
a DRA is somewhat lacking when it comes to a domain setup