EFS

M

msgs

Could someone please send me some simple clear
instructions about using EFS, and how to define recovery
agents?

What I want is to enable the mobile users in our company
to use EFS on their laptops, but I want the local
administrator to be the recovery agent. This is the
default, but on some machines the RA is a domain admin
user (well, me, as I installed the OS on the machines).

How can I change this to local admin. If I choose Add
Recovery Agent, I need a certificate file (we have no AD
running yet), but if I export a certificate with MMC /
Certificates -> Export snap-in, it can only Export EFS
certificate, not a RA!

So either I'm doing something complety wrong, or I simply
don't understand something...

Please send your answer to e-mail address also...thanks!

ps. I thought that if you have no assingned Recovery
Agents defined, EFS is disabled? But on my home machine
(XP Pro) there are no RAs defined (nor can I define any,
see above), but EFS is working just fine?!?!

-M
 
T

Torgeir Bakken (MVP)

msgs said:
Could someone please send me some simple clear
instructions about using EFS, and how to define recovery
agents?

What I want is to enable the mobile users in our company
to use EFS on their laptops, but I want the local
administrator to be the recovery agent. This is the
default, but on some machines the RA is a domain admin
user (well, me, as I installed the OS on the machines).

How can I change this to local admin. If I choose Add
Recovery Agent, I need a certificate file (we have no AD
running yet), but if I export a certificate with MMC /
Certificates -> Export snap-in, it can only Export EFS
certificate, not a RA!

So either I'm doing something complety wrong, or I simply
don't understand something...

Please send your answer to e-mail address also...thanks!

ps. I thought that if you have no assingned Recovery
Agents defined, EFS is disabled? But on my home machine
(XP Pro) there are no RAs defined (nor can I define any,
see above), but EFS is working just fine?!?!
Click to expand...

Hi

WinXP does not define a RA as default (this was changed from Win2k).

From a previous posting of mine:

Read and understand the information in the links below before you start using
Encrypting File System (EFS), or you will very likely loose your files one
time in the future:

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

Encrypting File System in Windows XP and Windows Server 2003
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/default.asp

(58 pages, will also tell the differences between Win2k and WinXP regarding
EFS)

also gives information/links on to how to export keys, e.g.

"Data Recovery on Standalone Machines"

Under "Knowledge Base Articles on EFS" you will find e.g.

Q241201 How to Back Up Your Encrypting File System Private Key
Q259732 EFS Recovery Agent Cannot Export Private Keys
Q255742 Methods for Recovering Encrypted Data Files


Reading Q255742, will give you this as well:

Q241201 HOW TO: Back Up Your Encrypting File System Private Key in Windows 2000

Q242296 How to Restore an EFS Private Key for Encrypted Data Recovery


If your computer is not a member of an AD domain, this part of the document is
obligatory reading:

"Using EFS with Standalone Machines or NT 4.0 Domains"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DRA Problem w/ Windows XP Pro in Workgroup 4
EFS File Recovery Agent Certificate Creation 3
How to use EFS in AD Domain environment ? 1
EFS and moving files from old computer to new 2
EFS Recovery Agent 1
New EFS tool available - EFS Certificate Configuration Updater 14
Changing computers with EFS documents 1
EFS - setting up Recovery Agent 4

Top