EFS files without recovery agent

EFS files without recovery agent
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
EFS files without recovery agent nepyyvoda 09-12-2006
Posted by on September 12, 2006, 10:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

I'm experiencing strange problem with EFS on my domain, and wonder if
any one can help me understand what is happening.

I have recently configured EFS group policy, created recovery agent,
and apply it on domain level.
Now users are able to encrypt files, but there is no Recovery agent in
the list when I open Encryption details window.

All domain controllers are Win2003 (Win 2000 native function level) and
workstations are WinXP.

Can any one give me some ideas where it went wrong?

Regards,
Yuriy.


Posted by Roger Abell [MVP] on September 12, 2006, 10:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Just what did you do to "apply it on domain level" ?

> Hi,
>
> I'm experiencing strange problem with EFS on my domain, and wonder if
> any one can help me understand what is happening.
>
> I have recently configured EFS group policy, created recovery agent,
> and apply it on domain level.
> Now users are able to encrypt files, but there is no Recovery agent in
> the list when I open Encryption details window.
>
> All domain controllers are Win2003 (Win 2000 native function level) and
> workstations are WinXP.
>
> Can any one give me some ideas where it went wrong?
>
> Regards,
> Yuriy.
>



Posted by Steven L Umbach on September 13, 2006, 12:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Try running rsop.msc on one of the XP computers to see if it shows that
setting has applied to the domain computer. Note that RA setting is computer
configuration which means that the computer account must be within the scope
of management for that GPO. In other words if you configured it in a GPO
linked to a OU the computer account must exist in that OU or a child OU of
that OU. If you believe it should apply to the computer then check the
application log for errors/warnings for userenv and scecli that could
indicate a problem with Group Policy application to the domain computer.
Also keep in mind that it can take up to two hours for GP settings to
propagate unless you reboot or run gpupdate on the domain computer.

Steve


> Hi,
>
> I'm experiencing strange problem with EFS on my domain, and wonder if
> any one can help me understand what is happening.
>
> I have recently configured EFS group policy, created recovery agent,
> and apply it on domain level.
> Now users are able to encrypt files, but there is no Recovery agent in
> the list when I open Encryption details window.
>
> All domain controllers are Win2003 (Win 2000 native function level) and
> workstations are WinXP.
>
> Can any one give me some ideas where it went wrong?
>
> Regards,
> Yuriy.
>



Posted by S0k1l on September 13, 2006, 4:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

First of all thank you for your respond, But unfortunately that is not
an issue.
Group policy with EFS recovery agent settings is link to domain (let
say company.com), and RSoP.msc shows that policy has been applied to
computer (at least to all that I have checked), with the valid recovery
agent certificate.
May be there is something else that I have not pay attention to?
All you ideas are appreciated.

Yuriy

Steven L Umbach wrote:
> Try running rsop.msc on one of the XP computers to see if it shows that
> setting has applied to the domain computer. Note that RA setting is computer
> configuration which means that the computer account must be within the scope
> of management for that GPO. In other words if you configured it in a GPO
> linked to a OU the computer account must exist in that OU or a child OU of
> that OU. If you believe it should apply to the computer then check the
> application log for errors/warnings for userenv and scecli that could
> indicate a problem with Group Policy application to the domain computer.
> Also keep in mind that it can take up to two hours for GP settings to
> propagate unless you reboot or run gpupdate on the domain computer.
>
> Steve
>
>
> > Hi,
> >
> > I'm experiencing strange problem with EFS on my domain, and wonder if
> > any one can help me understand what is happening.
> >
> > I have recently configured EFS group policy, created recovery agent,
> > and apply it on domain level.
> > Now users are able to encrypt files, but there is no Recovery agent in
> > the list when I open Encryption details window.
> >
> > All domain controllers are Win2003 (Win 2000 native function level) and
> > workstations are WinXP.
> >
> > Can any one give me some ideas where it went wrong?
> >
> > Regards,
> > Yuriy.
> >


Posted by Steven L Umbach on September 13, 2006, 8:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I would double check any GPO that could apply to that computer as if I
remember correctly rsop.msc does not show which GPO is applying RA.

Steve


> Hi,
>
> First of all thank you for your respond, But unfortunately that is not
> an issue.
> Group policy with EFS recovery agent settings is link to domain (let
> say company.com), and RSoP.msc shows that policy has been applied to
> computer (at least to all that I have checked), with the valid recovery
> agent certificate.
> May be there is something else that I have not pay attention to?
> All you ideas are appreciated.
>
> Yuriy
>
> Steven L Umbach wrote:
>> Try running rsop.msc on one of the XP computers to see if it shows that
>> setting has applied to the domain computer. Note that RA setting is
>> computer
>> configuration which means that the computer account must be within the
>> scope
>> of management for that GPO. In other words if you configured it in a GPO
>> linked to a OU the computer account must exist in that OU or a child OU
>> of
>> that OU. If you believe it should apply to the computer then check the
>> application log for errors/warnings for userenv and scecli that could
>> indicate a problem with Group Policy application to the domain computer.
>> Also keep in mind that it can take up to two hours for GP settings to
>> propagate unless you reboot or run gpupdate on the domain computer.
>>
>> Steve
>>
>>
>> > Hi,
>> >
>> > I'm experiencing strange problem with EFS on my domain, and wonder if
>> > any one can help me understand what is happening.
>> >
>> > I have recently configured EFS group policy, created recovery agent,
>> > and apply it on domain level.
>> > Now users are able to encrypt files, but there is no Recovery agent in
>> > the list when I open Encryption details window.
>> >
>> > All domain controllers are Win2003 (Win 2000 native function level) and
>> > workstations are WinXP.
>> >
>> > Can any one give me some ideas where it went wrong?
>> >
>> > Regards,
>> > Yuriy.
>> >
>



Similar ThreadsPosted
RE: EFS files without recovery agent September 14, 2006, 5:08 am
problem with EFS Recovery agent December 10, 2007, 4:03 pm
EFS Recovery Agent Creation Question. November 1, 2006, 5:32 pm
Creating a recovery agent on local computer January 12, 2006, 9:40 pm
Recovery policy contains invalid recovery cert July 28, 2006, 12:59 pm
Isa 2004 and the Dpm 2006 agent December 26, 2005, 12:04 pm
How (not) to create malware (TSPY-Agent.EA) with VC++ .Net? December 25, 2005, 7:06 am
Enrollment agent cannot enroll on behalf of a user... July 10, 2006, 4:38 pm
FYI - Windows Update agent (client) infrastructure update coming soon July 3, 2008, 6:57 pm
Recovery For XP Suggestions February 24, 2006, 4:13 pm

The site map in XML format XML site map

Contact Us | Privacy Policy