Sign in with
Sign up | Sign in
Your question

EFS - Recovery agent

Last response: in Windows 2000/NT
Share
Anonymous
March 27, 2005 7:14:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello all,

Microsoft says, in its Windows 2000 Resource Kit, what follows:

QUOTE
=====
By default, the recovery agent account is the highest-level
Administrator account. On a stand-alone computer, this is the local
Administrator.
END QUOTE
=========

I encrypted a file in a Windows Pro standalone using a regular user.
Then I logon as local administrator but was denied access to the file.
So why the local admin cannot decrypt the file ? Shouldn't it be by
default granted such right ?

Thank you for your time. I'm a bit confused about this.

Bar

More about : efs recovery agent

Anonymous
March 27, 2005 9:49:37 PM

Archived from groups: microsoft.public.win2000.security (More info?)

That info you quote is so for Windows 2000.
In Windows XP there is no default recovery agent for
a stand alone system.
You have not mentioned your version of Windows Pro.

Also, the account must have NTFS permissions on the
file to be able to decrypt it.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"barabba" <barabba72@hotmail.com> wrote in message
news:8ec33ba5.0503271514.1fa0dd3a@posting.google.com...
> Hello all,
>
> Microsoft says, in its Windows 2000 Resource Kit, what follows:
>
> QUOTE
> =====
> By default, the recovery agent account is the highest-level
> Administrator account. On a stand-alone computer, this is the local
> Administrator.
> END QUOTE
> =========
>
> I encrypted a file in a Windows Pro standalone using a regular user.
> Then I logon as local administrator but was denied access to the file.
> So why the local admin cannot decrypt the file ? Shouldn't it be by
> default granted such right ?
>
> Thank you for your time. I'm a bit confused about this.
>
> Bar
Anonymous
March 28, 2005 12:01:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you very much for your answer. I should have read better along the lines ;-)

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message news:<e0RxE#yMFHA.2580@TK2MSFTNGP09.phx.gbl>...
> That info you quote is so for Windows 2000.
> In Windows XP there is no default recovery agent for
> a stand alone system.
> You have not mentioned your version of Windows Pro.
>
> Also, the account must have NTFS permissions on the
> file to be able to decrypt it.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "barabba" <barabba72@hotmail.com> wrote in message
> news:8ec33ba5.0503271514.1fa0dd3a@posting.google.com...
> > Hello all,
> >
> > Microsoft says, in its Windows 2000 Resource Kit, what follows:
> >
> > QUOTE
> > =====
> > By default, the recovery agent account is the highest-level
> > Administrator account. On a stand-alone computer, this is the local
> > Administrator.
> > END QUOTE
> > =========
> >
> > I encrypted a file in a Windows Pro standalone using a regular user.
> > Then I logon as local administrator but was denied access to the file.
> > So why the local admin cannot decrypt the file ? Shouldn't it be by
> > default granted such right ?
> >
> > Thank you for your time. I'm a bit confused about this.
> >
> > Bar
Anonymous
March 29, 2005 4:39:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If you do have XP Pro, then defining a DRA is advised, as is
other loss preventatives such as making a password reset disk
and exporting and preserving the EFS cert/key (both actions for
any account that uses EFS). See
http://www.microsoft.com/technet/prodtechnol/winxppro/d...


--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"barabba" <barabba72@hotmail.com> wrote in message
news:8ec33ba5.0503280801.4f9254d8@posting.google.com...
> Thank you very much for your answer. I should have read better along the
lines ;-)
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:<e0RxE#yMFHA.2580@TK2MSFTNGP09.phx.gbl>...
> > That info you quote is so for Windows 2000.
> > In Windows XP there is no default recovery agent for
> > a stand alone system.
> > You have not mentioned your version of Windows Pro.
> >
> > Also, the account must have NTFS permissions on the
> > file to be able to decrypt it.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "barabba" <barabba72@hotmail.com> wrote in message
> > news:8ec33ba5.0503271514.1fa0dd3a@posting.google.com...
> > > Hello all,
> > >
> > > Microsoft says, in its Windows 2000 Resource Kit, what follows:
> > >
> > > QUOTE
> > > =====
> > > By default, the recovery agent account is the highest-level
> > > Administrator account. On a stand-alone computer, this is the local
> > > Administrator.
> > > END QUOTE
> > > =========
> > >
> > > I encrypted a file in a Windows Pro standalone using a regular user.
> > > Then I logon as local administrator but was denied access to the file.
> > > So why the local admin cannot decrypt the file ? Shouldn't it be by
> > > default granted such right ?
> > >
> > > Thank you for your time. I'm a bit confused about this.
> > >
> > > Bar
!