EFS File Recovery Agent Certificate Creation

[Guest]

I'm working on implementing EFS in our Windows 2003 domain. Our current EFS
File Recovery certificate has expired. It appears that the default cert that
was created when the domain was created over 3 years ago was the only one
listed. I've created on for myself but would like to add some other admins as
agents. When I attempt to add them to our GPO, I get an error that says "The
select user has no certificates suitable for EFS Recovery and cannot be added
as a recovery agent" How can I get around this and add my admins to this
policy?

 

[Steven L Umbach]

If you have an enterprise Certificate Authority for the domain then you can
request a new Recovery Agent certificate from it assuming you are logged on
as a user that has proper permissions for that security template which may
need to be a domain administrator if permissions are at default levels. You
can change permissions on the RA certificate template using the Certificate
Authority Management Console and going to certificate templates, right
click, select manage, find the EFS RA certificate template, go to security
page and make sure the users/ global groups you want to get the certificate
have read and enroll permissions . Requesting a certificate can be done via
the mmc snapin for certificates for user by going to the personal
certificates folder, right clicking it , selecting all tasks - request new
certificate. If that works you can then export the certificate [NOT
including the private key] to a .cer file that can be used to import into
Group Policy as a RA.

Now if you don't have a CA you can use cipher command on an XP Pro or W2003
computer while logged on as a user that you want to be RA and use cipher /R
to generate a new RA certificate/private key. You can use cipher /? to see
the cipher command built in help. Then import the .cer file that is created
into your Group Policy for RA and you should be good to go. By the way be
SURE to keep the existing RA certificate/private key as it still can be and
may be needed to recover EFS files in the domain that it still shows as RA
on. Users EFS files may not be updated to reflect new RA until they are
modified or opened. --- Steve

cipher /rathNameWithoutExtension : Generates a new recovery agent
certificate and private key, and then writes them to files with the file
name specified in PathNameWithoutExtension. If you use this option, cipher
ignores all of the other options

 

[Guest]

Thanks for the informative explanation. We do have a CA in our domain which
should make things easier. I still don't know if I can create certs from any
of my other users explicitly. It appears that they'll need to do this
themselves?
--
Sandy Wood
Orange County District Attorney

If you have an enterprise Certificate Authority for the domain then you can
request a new Recovery Agent certificate from it assuming you are logged on
as a user that has proper permissions for that security template which may
need to be a domain administrator if permissions are at default levels. You
can change permissions on the RA certificate template using the Certificate
Authority Management Console and going to certificate templates, right
click, select manage, find the EFS RA certificate template, go to security
page and make sure the users/ global groups you want to get the certificate
have read and enroll permissions . Requesting a certificate can be done via
the mmc snapin for certificates for user by going to the personal
certificates folder, right clicking it , selecting all tasks - request new
certificate. If that works you can then export the certificate [NOT
including the private key] to a .cer file that can be used to import into
Group Policy as a RA.

Now if you don't have a CA you can use cipher command on an XP Pro or W2003
computer while logged on as a user that you want to be RA and use cipher /R
to generate a new RA certificate/private key. You can use cipher /? to see
the cipher command built in help. Then import the .cer file that is created
into your Group Policy for RA and you should be good to go. By the way be
SURE to keep the existing RA certificate/private key as it still can be and
may be needed to recover EFS files in the domain that it still shows as RA
on. Users EFS files may not be updated to reflect new RA until they are
modified or opened. --- Steve

cipher /rathNameWithoutExtension : Generates a new recovery agent
certificate and private key, and then writes them to files with the file
name specified in PathNameWithoutExtension. If you use this option, cipher
ignores all of the other options

 

[Steven L Umbach]

In some cases you can using Certificate Services Web Enrollment using a web
browser to access the CA via http://CAservername/certsrv and doing an
advanced certificate request otherwise just have the user request from the
mmc certificate snapin for user. Of course if you know the users password or
temporarily change it to allow yourself access [assuming no rules are broken
here] you could then do it as the user. --- Steve

http://technet2.microsoft.com/Windo...c885-481e-8a66-4eddf8ffe3e81033.mspx?mfr=true

Thanks for the informative explanation. We do have a CA in our domain
which
should make things easier. I still don't know if I can create certs from
any
of my other users explicitly. It appears that they'll need to do this
themselves?
--
Sandy Wood
Orange County District Attorney

If you have an enterprise Certificate Authority for the domain then you
can
request a new Recovery Agent certificate from it assuming you are logged
on
as a user that has proper permissions for that security template which
may
need to be a domain administrator if permissions are at default levels.
You
can change permissions on the RA certificate template using the
Certificate
Authority Management Console and going to certificate templates, right
click, select manage, find the EFS RA certificate template, go to
security
page and make sure the users/ global groups you want to get the
certificate
have read and enroll permissions . Requesting a certificate can be done
via
the mmc snapin for certificates for user by going to the personal
certificates folder, right clicking it , selecting all tasks - request
new
certificate. If that works you can then export the certificate [NOT
including the private key] to a .cer file that can be used to import into
Group Policy as a RA.

Now if you don't have a CA you can use cipher command on an XP Pro or
W2003
computer while logged on as a user that you want to be RA and use cipher
/R
to generate a new RA certificate/private key. You can use cipher /? to
see
the cipher command built in help. Then import the .cer file that is
created
into your Group Policy for RA and you should be good to go. By the way be
SURE to keep the existing RA certificate/private key as it still can be
and
may be needed to recover EFS files in the domain that it still shows as
RA
on. Users EFS files may not be updated to reflect new RA until they are
modified or opened. --- Steve

cipher /rathNameWithoutExtension : Generates a new recovery agent
certificate and private key, and then writes them to files with the file
name specified in PathNameWithoutExtension. If you use this option,
cipher
ignores all of the other options

I'm working on implementing EFS in our Windows 2003 domain. Our current
EFS
File Recovery certificate has expired. It appears that the default cert
that
was created when the domain was created over 3 years ago was the only
one
listed. I've created on for myself but would like to add some other
admins
as
agents. When I attempt to add them to our GPO, I get an error that says
"The
select user has no certificates suitable for EFS Recovery and cannot be
added
as a recovery agent" How can I get around this and add my admins to
this
policy?