making administrator account the DRA in XP Profession

[Guest]

First, I apologize; this question is rather simple, and has already been
addressed. But I still can't get it to work.

I encyrpt files with EFS on a user account on my standalone XP Pro
workstation. I wish to be able to access to them from the admin account. I
therefore wish to enable the admin account as a data recovery agent. I have
done the following, while logged on to the admin account:
used cipher /R:filename
to generate a certificate (and private key)
used gpedit to add this certificate to the encryption policy.

However, I still cannot decrypt newly created files from the admin account;
there seems to be another step I need to complete. Perhaps, I need to import
the private key I created into the admin account.

Can anyone tell me what I need to do, and tell me or point me to how?

Thanks!

 

[Bruce Chambers]

First, I apologize; this question is rather simple, and has already been
addressed. But I still can't get it to work.

I encyrpt files with EFS on a user account on my standalone XP Pro
workstation. I wish to be able to access to them from the admin account. I
therefore wish to enable the admin account as a data recovery agent. I have
done the following, while logged on to the admin account:
used cipher /R:filename
to generate a certificate (and private key)
used gpedit to add this certificate to the encryption policy.

However, I still cannot decrypt newly created files from the admin account;
there seems to be another step I need to complete. Perhaps, I need to import
the private key I created into the admin account.

Can anyone tell me what I need to do, and tell me or point me to how?

In order to designate the Administrator as a DRA, the computer must be
part of a Domain; and even then, it is the Domain Administrator who can
be the DRA, not the local Administrator. This alternate access method
is unavailable on stand-alone PCs.



--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Mike Fields]

In order to designate the Administrator as a DRA, the computer must be
part of a Domain; and even then, it is the Domain Administrator who can
be the DRA, not the local Administrator. This alternate access method
is unavailable on stand-alone PCs.


Bruce Chambers

From what I read, you can set the administrator (at least
that was what it looked like) as the DRA without being
part of a domain. I tried that on mine (xp pro) and when
I view the file properties - advanced - details, it shows
both me as the key holder and the administrator as the
DRA.
http://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=tech
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316
about 1/2 way down this one is some more info:
http://www.techzonez.com/forums/archive/index.php/t-13009.html
a multi-part article on encryption and recovery agents
http://www.practicalpc.co.uk/computing/windows/xpencrypt1.htm
Here is some info from MS on "adding a recovery agent to a local
computer" (watch the link wrap)
http://www.microsoft.com/resources/...us/encrypt_to_add_recovery_agent.mspx?pf=true
also look at
http://www.microsoft.com/resources/...proddocs/en-us/encrypt_recovery_overview.mspx
There is also a bunch of info in the XP Resource Kit.

mikey

 

[Bruce Chambers]

account. I


I have


to import



From what I read, you can set the administrator (at least
that was what it looked like) as the DRA without being
part of a domain. I tried that on mine (xp pro) and when
I view the file properties - advanced - details, it shows
both me as the key holder and the administrator as the
DRA.
http://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=tech
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316
about 1/2 way down this one is some more info:
http://www.techzonez.com/forums/archive/index.php/t-13009.html
a multi-part article on encryption and recovery agents
http://www.practicalpc.co.uk/computing/windows/xpencrypt1.htm
Here is some info from MS on "adding a recovery agent to a local
computer" (watch the link wrap)
http://www.microsoft.com/resources/...us/encrypt_to_add_recovery_agent.mspx?pf=true
also look at
http://www.microsoft.com/resources/...proddocs/en-us/encrypt_recovery_overview.mspx
There is also a bunch of info in the XP Resource Kit.

mikey

My mistake, then. Thanks for the correction. It would also appear
that this KB Article may be pertinent:

The Local Administrator Is Not Always the Default Encrypting File System
Recovery Agent
http://support.microsoft.com/kb/255026/


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Mike Fields]

My mistake, then. Thanks for the correction. It would also appear
that this KB Article may be pertinent:

The Local Administrator Is Not Always the Default Encrypting File System
Recovery Agent
http://support.microsoft.com/kb/255026/

Bruce Chambers

Note that that only applies to Windows 2000 -- XP Pro does NOT
require you to have a DRA (in 2k, that is one way to turn off
EFS is to simply not have a DRA). XP allows you to only have
yourself as the encryptor with no DRA required (and yet another
trap door to drop through). Note also that in XP they have plugged
a security hole that was in 2000 - in 2k, you (as an admin) could
reset the users password to whatever you wanted then decrypt
their files with their key (since you could now log in as them). In XP,
if someone other than the user changes their password, it breaks the
decryption (so be careful resetting a user password for them in a
workstation environment).

mikey

 

[Steven L Umbach]

FYI a domain administrator can reset a domain user's password to gain access
to EFS files that the domain user encrypted as the user. However what you
describe is true for non domain user accounts in that resetting the user
password will not allow access to the EFS files. --- Steve

 

[Steven L Umbach]

Yes the RA must be logged onto a computer where the RA private key exists to
decrypt files as the RA. The .cer file contains the certificate and only the
public key. The .pfx file would contain the private key. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices
http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx
--- detailed info on EFS recovery.