Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Well, you've stumped me. Everything seems to be in order:
1. Your File Recovery cert applied to the file.
2. You have Full Control to the file.
3. You are logged onto the machine where the file lives and have the File
Recovery cert/key in your Personal certificates store.
There's something missing. Sorry I can't figure it out. Please let me know
if you do. Maybe you can find the answer in one of these:
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp (Scroll down to "Taking Recovery Precautions.")
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Thanks.
Pat
"Che" wrote:
> Forgot to add the NTFS right, admin has full control access to the folder.
> Tried on a different drive & folder and got the same error.
>
> Thanks
> Che
>
> "Pat Hoffer [MSFT]" wrote:
>
> > Check the following:
> > 1. Confirm the DRA certificate applied to the file. (I'm assuming you've
> > added this certificate to group policy on the machine.) Log onto the machine
> > as the Admin who is the DRA. Open the encrypted file's properties, click
> > Advanced > Details, and note the certificate thumbprint of the data recovery
> > agent that applied to the file. Then run certmgr.msc to open your Personal
> > Certificates store, open your DRA certificate to the Details page, and scroll
> > down to see the thumbprint. This should match the DRA thumbprint on the file.
> > 2. Confirm the admin who is DRA has NTFS permissions on the file. To open
> > the file, you must have at least READ permission; to decrypt the file, you
> > must have at least WRITE permission.
> >
> > Thanks.
> > Pat
> >
> > "Che" wrote:
> >
> > > Actually I have the admin .PFX file imported in the Personal Certificate.
> > > Rebooted the machine before encrypt the file and I still cannot open the EFS
> > > that admin is said to be the DRA.
> > >
> > > So if a user leaves or forgets the password, how could IT open the EFS files?
> > >
> > > Let me know if you need more information.
> > >
> > > Thanks
> > > Che
> > >
> > > "Pat Hoffer [MSFT]" wrote:
> > >
> > > > It sounds like you have the certificate, but not the private key, installed
> > > > in your Personal certificates store. The .CER file is just the certificate.
> > > > You need the .PFX file which is the certificate and the private key. (The
> > > > private key is used to open/decrypt files.)
> > > >
> > > > If you used "cipher /r" to create the recovery certificate, it created a
> > > > .CER and a .PFX file. Locate the .PFX file, run it (or double-click on it),
> > > > and it will launch the Certificate Import Wizard. The wizard will
> > > > automatically install the certificate with key into your Personal
> > > > certificates store. (Select the option in the wizard to make the key
> > > > exportable.) Afterwards, it's a good idea to copy your .PFX file to a floppy
> > > > for safe-keeping.
> > > >
> > > > Thanks.
> > > > Pat
> > > >
> > > > "Che" wrote:
> > > >
> > > > > I have EFS problem with XP / XP SP1 & XP SP2. I don't have Active Directory
> > > > > setup in the office and all XP are standalone workstations. I would like to
> > > > > enable EFS on laptops. I understand XP does not have DRA setup by default so
> > > > > I login as admin, create the .CER file and use MMC to set the admin as the
> > > > > DRA. User can encrypt file and open the file even after password change.
> > > > > However, when I login as admin and tried to open the EFS file by another
> > > > > user, I got "access denied" error. When I use Windows Explorer to view the
> > > > > properties of the file, it said admin is the recovery agent name. The thumb
> > > > > print# is same as the admin certificate under MMC > Certificate > Personal >
> > > > > admin.cer file.
> > > > >
> > > > > In Window 2000 workstation, I used to able to login as admin and open the
> > > > > EFS file encrypted by all users on the machine.
> > > > >
> > > > > Am I missing other steps?
> > > > >
> > > > > Thanks
> > > > > Che
Facebook
Twitter
Instagram