Recovery Agent fails to decrypt

[sajid]

Hello Sir,

i installed CA on My domain controller. then i publish a
EFS Recovery Certificate for a user, then i go to Domain
security Policy and then Public Key Policy and then
Encrypted Data Recovery Agents and added that user as a
Recovery Agent (that user is also in domain admins group).
then i loged on with a administrator account and encrypt a
file. also encrypt a file with ordinary user, then i loged
on with Recovery Agent Account and tryed to decrypt those
files but Error "Access Denied"

where i m doing wrong. I think Recovery Agent should
Decrypt encryted files which are encryted after his
addition in Recovery Agent.
Please Help me

Also tell me if i lost the private key of local
administrator of a system which in workgroup, can i
decrypt that data


Thanks in Advance

Muhammad Sajid.
Lahore, Pakistan.

 

[Drew Cooper [MSFT]]

On whichever machine you enrolled for the cert, you probably also have the
corresponding private key. If you go back to that machine and export the
certificate with its private key you can copy the .pfx file to another
machine and import them. You should be able to decrypt then.

Public key/private key - I don't think we explain this clearly enough.
Everyone knows my public key, but only I know my private key. Anyone should
be able to encrypt something for me to read later (thus the public key, the
certificate, for encryption), but only I should be able to decrypt it (thus
private key for decryption). Without the private key you can't decrypt.