|
|
| SpazM 2003-02-19, 11:16 pm |
| Having a problem here. I've went to Microsofts web site hoping that it will help me out. But it just got me more confused. Heres the problem.
I'm trying to decrypt (recover) file on a pro machine that is part of a domain. Microsoft states that when the first DC is setup, the domain admin is the specified recovery agen for the doamin. But when I tried to decrypt the file, I got an error stating "access denied."
So my question is...
How do I decrypt the file? and
What is a domain EFS recory policy use for?
Thanks!..Spid please answer this one for me... | |
| Slinky 2003-02-19, 11:49 pm |
| Did you try the "cipher" command in a DOS window? Do you have permissions to decrypt it? Just because you are a domain admin doesn't mean you have full control to every file. Check to see if a recovery certificate is available. Open up your group policy and goto Computer Configuration...Windows Settings...Security Setttings...Public key policies...Encrypted Data Recovery Agents. Do you see a certificate issued to Administrator and issued by Administrator? Does it have "File Recovery" as its intended purpose? Are you logging into the domain controller where the Recovery certificate is stored? These are just a few starting points to check.
There are hundreds of links out there that tell you how to recover files, just do a quick search. Heres a start.
http://support.microsoft.com/defaul...kb;EN-US;243026 | |
|
|
|
| i think solved the problem..correct me if i'm wrong.
I logged on the first DC and checked the pulic key policies in group policy of the domain, and made sure that the there was a certificate isssued to the administrator. I also made sure that the Intended Purpose was "File Recovery."
I then exported out the certificate, and imported to the certificate to the client machine.
Then I was able to open the encrypted file.
Is this the proper way to take care of this type of situation? If not, i'm open to any comments/suggestions.
Thanks!! | |
|
| Sounds fine!
But suppose we want to get to encrypted docs on a client while the DC is down. What would the procedure be then?
From KB 313277
"If you are a local administrator, a default recovery policy is created after you log on to a computer for the first time. You are automatically configured as a recovery agent for this computer. ***After you set up the first domain controller in a Windows 2000 domain, the domain administrator is the specified recovery agent for the domain***"
This is not a rhetorical Q! Anyone any ideas? | |
| Slinky 2003-02-20, 8:21 am |
| I'm guessing that if you export the certificate and install it on the client computer, then you would have to login as the domain admin on the client computer. I've never tried it before so I don't know. I always just transfer it over to the recovery computer and decrypt it that way. Less administrative effort that way. | |
| Slinky 2003-02-20, 8:23 am |
| quote:
Originally posted by tharg
Sounds fine!
But suppose we want to get to encrypted docs on a client while the DC is down. What would the procedure be then?
I'm guessing thats why its so important you export the certificate to a removable media and store it in a safe location after you establish your policy. | |
|
| Ok but how do you login as the domain admin if DC is down! | |
|
|
|
|