[gptalk] data revocery agent in group policy

  • From: "Matt Diglio" <matt.diglio@xxxxxxxxxxxxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 14 Mar 2007 06:34:22 -0700

Generator Microsoft Word 11 (filtered medium) Hello,
I am having some problems verifying if we have a recovery agent for our domain.
Users can encrypt but if I login as administrator I cannot read these files, 
access denied error.
I have windows 2003 domain, the CA is on the Domain Controller

I do not see the Encrypted Data Recovery Agents section here...
computer config > windows settings > security settings > Public Key policies 

In that same section under the ' Encrypting File System' key it show a file 
recovery certificate issued to Administrator.
When I right click > add data recovery agent > and select the administrator I 
receive this error.
The selected user has no certificates suitable for Encrypted File System 
recovery and cannot be added as a recovery agent.

Here is the output of efsinfo for a file named a.txt
a.txt: Encrypted
Users who can decrypt:
domain\matttest (matttest(matttest@xxxxxxxxxx))
Certificate thumbprint: 51A1 C123 E475 197F 62D1 1D93 C207 5F54 7179 611A
Recovery Agents:
Unknown (Administrator(Administrator@xxxxxxxxxx))
Certificate thumbprint: 11C6 F26A 1234 4321 024A 9176 19D1 DA1B 7A1A D4D2

I can find the administrator ( Recovery Agent) thumbprint in my Enterprise CA 
snap-in and it says Cert OK

Thanks for any help you can give me.

Other related posts:

  • » [gptalk] data revocery agent in group policy