Hello, I'm trying to test EFS and can't seem to get it right, here are the steps I have tried. 1. Create a user EFSRecovery in AD and give him the right to enroll the EFS Recovery Certificate (I had installed a CA earlier) 2. Logged on as user EFSRecovery and requested a EFS Recovery Certificate 3. Created a Group Policy and tried to add the EFSRecovery user to Public Key Policy Encrypted File System, this failed with the message that the user has not the correct certificate, looked up on the internet and found that almost everyone was having this problem so I tried another take. 4. Logged on as user EFSRecovery and exported it EFS Recovery Certificate to a file. 5. In the Group policy I created in 3, added the *.cer file tot the Public Key Policy Encrypted File System, this was successfull. 6. Linked the group policy with a OU that contains the test computer on which I want to try EFS recovery on (tried it also with a link to the domain) 7. Logged on the test computer as admin and run GPUPDATE /force to ensure the policy is applied, used Group Policy Result in the Group Policy Management console to ensure that the policy was applied and the certificate was mentioned in the Public Key Policies?Encrypted File System, this was indeed the case. 8. Created a user TestEfs, logged on the test computer, created a directory containing a test file and encrypted directory and test file. 9. Logged on the test computer as EfsRecovery and tried to access the test file, this failed, tried to change the encryption bit this failed. However when I looked up the advanced encryption property screen I saw that the certificate of the EfsRecovery agent is listed as a Recovery Certificate. Does anyone knows how you must create a EFS Recovery agent that works I looked up different procedures on the internet but none seems to work at all. PS. My DC is a win2008R2 and the test computer is a WIN2008 Thanks a lot in advance Marc Mertens

On Tue, 8 Jun 2010 08:49:22 +0000, HappyLisper wrote: 9. Logged on the test computer as EfsRecovery and tried to access the test file, this failed, tried to change the encryption bit this failed. However when I looked up the advanced encryption property screen I saw that the certificate of the EfsRecovery agent is listed as a Recovery Certificate. Does anyone knows how you must create a EFS Recovery agent that works I looked up different procedures on the internet but none seems to work at all. In step 9, did you have the EFS Recovery Agent certificate and private key in the local store of the EfsRecovery user? If not, that's your problem. -- Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Paul Adare CTO IdentIT Inc. ILM MVP

Hello Paul, that was indeed not the case. So i exported the certificate (inclusive private key) to a file. Logged on as EFSRecovery on the test computer and imported the file in the personal store of EFSRecovery and everything worked. I was kind of hoping that if the certificate wast stored with the AD user object that I could use the recovery agent directly on every computer in the domain to do the recovery. Seems a lot of work for me but at least I'm convinced that recovery is possible. Thanks for your help Marc

On Wed, 9 Jun 2010 09:04:09 +0000, HappyLisper wrote: ?? that was indeed not the case. So i exported the certificate (inclusive private key) to a file. Logged on as EFSRecovery on the test computer and imported the file in the personal store of EFSRecovery and everything worked. I was kind of hoping that if the certificate wast stored with the AD user object that I could use the recovery agent directly on every computer in the domain to do the recovery. Seems a lot of work for me but at least I'm convinced that recovery is possible. EFS recovery should not necessarily be an easy operation given the level of access it involves. One way to make it easier and even more secure is to store the recovery agent on a smart card. In addition you may want to consider using EFS recovery as an operation of last resort. By and large, you should be able to use key archival and recovery to recover user's private keys if necessary. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Paul Adare CTO IdentIT Inc. ILM MVP