EFS will use the one referenced in the registry by its thumbrpint.
I am on the road this week and cannot look it up, but a registry entry
contains the thumbprint of the active certificate.
Typically, it is the one that was there first when you started encrypting
Thanks for the input Brian. I'll see if I can pull out the reg path later.
That explains why my expectation, that it would do the reasonable
thing and try the one which matches, does not happen.
Perhaps your most direct route to move forward would then be to
- make sure anything encrypted with the other cert was copied into
a clear, unencrypted form
- export and save the other cert and key pair
- remove the other cert from the account's cert store
- see if things work, and if not yet
remove the copied-in cert/key and then re-add it (do not attempt
to encrypt anything in the meantime, and you will get yet another
EFS cert/key pair generated)
Well, it is good that you have had success.
However (didn't you just know that was coming?) . . .
it is not necessary to grant to Everyone, but rather something
that is included in that massively permissive grant must have
been missing. In my experience, a modify grant to the account
that is encrypting/decrypting covers the needs.
I have thought about it also, how do I go about checking the permissions?
How would I grant permissions to a user that is not in the domain but is a
remote machine?
I would think that if I set up a user in the remote machine with the same
name and password, they would not have the same Id, right?
I have thought about it also, how do I go about checking the permissions?
How would I grant permissions to a user that is not in the domain but is a
remote machine?
I would think that if I set up a user in the remote machine with the same
name and password, they would not have the same Id, right?
Right. Depending on how the machines are configured, having
matching usernames and passwords can work, but basically
without a domain the way you give someone access is by giving
them an account on the accessed machine.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
