Hi , We have installed a root certificate authority in our domain . a user is assigned the role of recovery agent who is a member of domain admins group . have created a domain user .logged on by that user account to the PC and encrypted a file . logged on by the recover agent account ,opened Certificate snap-in and exported the certificate on the same computer and installed it . Tried to decrypt the file by the RA account but got the message "Access in Denied ". What steps should i take to be able to recover the decrypted file by using the Recovery Agent account . Regards , Ali Khoshbin

Hi Ali, Thank you for your post. Based on your description, I assume that your server OS is Windows 2008 and EFS file was encrypted in PC1.Please follow steps below to troubleshooting: 1.Logon DC with user1 which account you want to assigned the role of recovery agent, enable the EFS in GPO Computer Configuration--Windows Settings--Security Settings--Public Key Policies--Encrypting File System--right click Properties--select Allow EFS, add user1 Recovery Agent certificate in same GPO Computer Configuration-...--Encrypting File System--right click Create Data Recovery Agent. 2.After you deploy EFS policy, your EFS file properties--General--Advanced--Details will display user1 certificate in recovery policy 3.On DC export user1 EFS certificate to efs.pfx file with private key, the EFS certificate thumbprint value is same in EFS file properties 4.On PC1 logon user1 account, import user1 EFS certificate file, then you could open the EFS file Here is a EFS guide for Windows 2003, hope it will be useful to you. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan

Dear Rick , Thanks for you reply. I forgot to tell you that our domain is win2003 . We have a certificate authority installed on a DC . The situation is as follows : A certificate is issued to a user with intended purpose as " File Recovery " and certificate template is :EFS Recovery" . A test user has encrypted a single file . I have logged on to the PC where the file is located by RA user . Imported the certificate to Personal folder of Certificate Snap-in.Checked the file attribute , it show the name of the RA with correct certificate Thumprint and serial number . When I try to open the file by RA ,get "Access Denied" message. What Step should I take to resolve this issue ? Many Thanks for your cooperation

Hi Ali, I have test on Windows 2003 server, it's same procedure as Windows 2008 that I latest posted. Based on your description, it's possible that you didn't export EFS certificate with prviate key or not import certifciate to the user certificate personal store. Please export EFS certificate follow screenshot below. If there are more inquiries on this issue, please feel free to let us know. Regards, Rick Tan

Dear Rick , Thanks for your reply . I did the above settings but still no sucess . Wanted to assign another user as RA and test the situation but came to below problems : I gave another user RA role .my user with Domain Admins right . Requested an " EFS Recovery Agent " role for myself on my own machine by using Certificates template with a new Key . Then Exported the certificate along with private keys on my own machine and to a folder on local disk . Then logged on by a user and encrypted a file . Then saw the file encryption detail data . The recover agent who is listed is the previous user and not the currently added user. I checked the Certificate Authority snap-in . My domain admin user is listed as EFS Recovery Agent but as mentioned earlier does not appear as RA on the encrypted file . What should I do in thie scenario ? I revoked the certificate for previous user in Certificate authority . listed the reason as : Change Affiliation . Then tried to encrypt a file by an ordinary user but saw the RA name as the one who has been revoked the certificate . Why the revocation doers not apply ? Thanks for your kind attention and help

On Wed, 13 Jul 2011 06:09:04 +0000, Ali Khoshbin wrote: Thanks for your reply . I did the above settings but still no sucess . Wanted to assign another user as RA and test the situation but came to below problems : I gave another user RA role .my user with Domain Admins right .?Requested an " EFS Recovery Agent " role for myself on my own machine by using Certificates template with a new Key . Then Exported the certificate along with private keys on my own machine and to a folder on local disk . Then logged on by a user and encrypted a file . Then?saw the file encryption detail data . The recover agent who is listed is?the previous user and not the currently added user. I checked the Certificate Authority snap-in . My domain admin user is listed as EFS Recovery Agent but as mentioned?earlier does not appear as RA on the encrypted file . What should I do in thie scenario ? You aren't really clear on how a Recovery Agent gets assigned. Just because you've issued a new Recovery Agent certificate does not mean that certificate will then be used as an RA for newly encrypted files, and checking the Certificate Authority console will not show you which certificates are currently assigned as valid RAs, it will simply show you the Recovery Agent certificates that have been issued. Creating a new RA is a two step process: 1. You need to issue a new RA certificate. 2. You need to use Group Policy to push the new RA to client computers. You're missing step #2. You'll need to add the newly issued RA certificate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System. Once this Group Policy has been applied to the target computer you will then, and only then, be able to use the newly issued RA certificate to decrypt newly encrypted files. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca How was Thomas J. Watson buried? 9 edge down.

Hi, thanks for the answer . I will do this and go to test the rest. many thanks

Hi , it worked . thanksa lot for your cooperation

On Wed, 13 Jul 2011 06:09:04 +0000, Ali Khoshbin wrote: Thanks for your reply . I did the above settings but still no sucess . Wanted to assign another user as RA and test the situation but came to below problems : I gave another user RA role .my user with Domain Admins right .?Requested an " EFS Recovery Agent " role for myself on my own machine by using Certificates template with a new Key . Then Exported the certificate along with private keys on my own machine and to a folder on local disk . Then logged on by a user and encrypted a file . Then?saw the file encryption detail data . The recover agent who is listed is?the previous user and not the currently added user. I checked the Certificate Authority snap-in . My domain admin user is listed as EFS Recovery Agent but as mentioned?earlier does not appear as RA on the encrypted file . What should I do in thie scenario ? You aren't really clear on how a Recovery Agent gets assigned. Just because you've issued a new Recovery Agent certificate does not mean that certificate will then be used as an RA for newly encrypted files, and checking the Certificate Authority console will not show you which certificates are currently assigned as valid RAs, it will simply show you the Recovery Agent certificates that have been issued. Creating a new RA is a two step process: 1. You need to issue a new RA certificate. 2. You need to use Group Policy to push the new RA to client computers. You're missing step #2. You'll need to add the newly issued RA certificate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System. Once this Group Policy has been applied to the target computer you will then, and only then, be able to use the newly issued RA certificate to decrypt newly encrypted files. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca How was Thomas J. Watson buried? 9 edge down. Paul, I am having what appears to be exactly the same issue on a Windows 2008 R2 DC... I believe I have issued a RA certificate for the user I am logged on as (by right-clicking on Create New Recovery Agen in the GPO for Encryptying file system), and it appears in Computer Configuration\Policies\Windows Settings\Security... Settings\Public Key Policies\Encrypting File System But I still can't read encrypted files created by other users. Although, strangely, The Admin can, even though I cancelled the Admin's DRA certificate. What exactly do I need to do to "use Group Policy to push the new RA to client computers" ? The 70-642 Training Kit makes no reference to this second step. thanks Rod

On Wed, 13 Jul 2011 06:09:04 +0000, Ali Khoshbin wrote: Thanks for your reply . I did the above settings but still no sucess . Wanted to assign another user as RA and test the situation but came to below problems : I gave another user RA role .my user with Domain Admins right .?Requested an " EFS Recovery Agent " role for myself on my own machine by using Certificates template with a new Key . Then Exported the certificate along with private keys on my own machine and to a folder on local disk . Then logged on by a user and encrypted a file . Then?saw the file encryption detail data . The recover agent who is listed is?the previous user and not the currently added user. I checked the Certificate Authority snap-in . My domain admin user is listed as EFS Recovery Agent but as mentioned?earlier does not appear as RA on the encrypted file . What should I do in thie scenario ? You aren't really clear on how a Recovery Agent gets assigned. Just because you've issued a new Recovery Agent certificate does not mean that certificate will then be used as an RA for newly encrypted files, and checking the Certificate Authority console will not show you which certificates are currently assigned as valid RAs, it will simply show you the Recovery Agent certificates that have been issued. Creating a new RA is a two step process: 1. You need to issue a new RA certificate. 2. You need to use Group Policy to push the new RA to client computers. You're missing step #2. You'll need to add the newly issued RA certificate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System. Once this Group Policy has been applied to the target computer you will then, and only then, be able to use the newly issued RA certificate to decrypt newly encrypted files. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca How was Thomas J. Watson buried? 9 edge down. Paul, I am having what appears to be exactly the same issue on a Windows 2008 R2 DC... I believe I have issued a RA certificate for the user I am logged on as (by right-clicking on Create New Recovery Agen in the GPO for Encryptying file system), and it appears in Computer Configuration\Policies\Windows Settings\Security... Settings\Public Key Policies\Encrypting File System But I still can't read encrypted files created by other users. Although, strangely, The Admin can, even though I cancelled the Admin's DRA certificate. What exactly do I need to do to "use Group Policy to push the new RA to client computers" ? The 70-642 Training Kit makes no reference to this second step. thanks Rod

I'm bumping this up because I really need to solve this problem.

Same for me...