EFS

[Oriane]

Hello,

with the help of Drew Cooper [MSFT] , I finally understood why I can't crypt
a file/directory on my computer (XP) using EFS. I give an excerpt of our
discussion on microsoft.public.

____________________________________________________________________________
_____________________


<[email protected]> a écrit dans le message de
| Have you tried running rsop.msc (the RSOP MMC snapin) to see what policies
| are being applied to your machine? Is there an invalid EFS recovery
| certificate there?
Yes there is one, named CDECREM, autosigned, in the machine config/Windows
parameters/Public key policies/EFS ! It is invalid (already expired) but I
can't find it in my machine stores neither in my personal stores on my
machine.

____________________________________________________________________________
_____________________

Now the pb that I have is o get rid of this certificate, knowning that it
mesu be sent by my domai controler.

Can someone help me ?

Oriane

 

[Steven Umbach]

The certificate/private key for the Recovery Agent may have been already deleted
in the users computer store. For Windows XP Pro you can use cipher to generate
new certificate/keys for Recovery Agent. Once you generate the key and save it
to a .pfx file you can click the file to start the installation wizard. After it
is installed you can export the certificate [probably from the built in
administrator account] to a .cer file and then import it into the security
policy as a Recovery Agent certificate by selecting add and then navigating to
the folder where the .cer file is located. -- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cipher.mspx

 

[Oriane]

Hello Steven,

If I try to sum up: I generate a new key pair for the certificate I can see
with the rsop mmc but not in the certifucate store ?
Or do you suggest I create a new certificate ?
Oriane

"Steven Umbach" <[email protected]> a écrit dans le message de
| The certificate/private key for the Recovery Agent may have been already
deleted
| in the users computer store. For Windows XP Pro you can use cipher to
generate
| new certificate/keys for Recovery Agent. Once you generate the key and
save it
| to a .pfx file you can click the file to start the installation wizard.
After it
| is installed you can export the certificate [probably from the built in
| administrator account] to a .cer file and then import it into the security
| policy as a Recovery Agent certificate by selecting add and then
navigating to
| the folder where the .cer file is located. -- Steve
|
|
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cipher.mspx
|
| | > Hello,
| >
| > with the help of Drew Cooper [MSFT] , I finally understood why I can't
crypt
| > a file/directory on my computer (XP) using EFS. I give an excerpt of our
| > discussion on microsoft.public.
| >
| >
____________________________________________________________________________
| > _____________________
| >
| >
| > <[email protected]> a écrit dans le message de
| > | > | Have you tried running rsop.msc (the RSOP MMC snapin) to see what
policies
| > | are being applied to your machine? Is there an invalid EFS recovery
| > | certificate there?
| > Yes there is one, named CDECREM, autosigned, in the machine
config/Windows
| > parameters/Public key policies/EFS ! It is invalid (already expired) but
I
| > can't find it in my machine stores neither in my personal stores on my
| > machine.
| >
| >
____________________________________________________________________________
| > _____________________
| >
| > Now the pb that I have is o get rid of this certificate, knowning that
it
| > mesu be sent by my domai controler.
| >
| > Can someone help me ?
| >
| > Oriane
| >
|
|

 

[Steven L Umbach]

You proably should try to create a new certificate/private key via a .pfx
file and then install that. --- Steve