EFS and the Data Recovery Agent

crypticgeekcrypticgeek Member Posts: 66 ■■■□□□□□□□
I'm following the lab at the end of Chapter 9 in the Administering Windows Server 2012 Exam Ref from Microsoft. Basically the lab has you set up AD Certificate Services and a CA, create a account and an associated EFS Recovery Agent certificate, and set up a GPO that specifies for users to auto-enroll with the CA for an EFS certificate and use the DRA certificate created earlier. This all went fine. However, I'm having trouble actually using the DRA to open an EFS encrypted file; I just get the same access denied that anyone else would. As the user with the DRA cert, I can open the user's certificate store and see the DRA cert there and it says that I have the private key for the cert. As the user who encrypted the file I can open the properties and see the DRA thumbprint listed correctly. I'm missing something here but I can't figure out what...

Comments

  • 210mike210mike Member Posts: 55 ■■□□□□□□□□
    I dug around online as I was intrigued by this question

    Is the recovery cert installed on the private store of the machine hosting the EFS file?

    Recover EFS Encrypted File in Windows Domain Environment « Technology « Risolv IT Solutions
    WGU BS: IT Network and Design Management (Completed Oct 2014)
  • crypticgeekcrypticgeek Member Posts: 66 ■■■□□□□□□□
    Thought I had a subscription for replies to this thread...oh well.

    Anyway I came back to looking at this today. I reverted my test machine where I encrypted the file back to a fresh install snapshot, logged in as a user, checked they got a self-enrolled cert from the CA, encrypted a file, checked the relevant info with the cipher program (thanks for the link), logged out, logged in as the DRA user, and lo and behold it worked fine. I remember earlier I was trying across the network (which the article you linked specified would not work) but I could have sworn up and down I also logged in locally and it still wouldn't work. Well for whatever reason it works fine now.
Sign In or Register to comment.