making administrator account the DRA in XP Profession

First, I apologize; this question is rather simple, and has already been
addressed. But I still can't get it to work.

I encyrpt files with EFS on a user account on my standalone XP Pro
workstation. I wish to be able to access to them from the admin account. I
therefore wish to enable the admin account as a data recovery agent. I have
done the following, while logged on to the admin account:
used cipher /R:filename
to generate a certificate (and private key)
used gpedit to add this certificate to the encryption policy.

However, I still cannot decrypt newly created files from the admin account;
there seems to be another step I need to complete. Perhaps, I need to import
the private key I created into the admin account.

Can anyone tell me what I need to do, and tell me or point me to how?

Thanks!

alexm wrote:
> First, I apologize; this question is rather simple, and has already been
> addressed. But I still can't get it to work.
>
> I encyrpt files with EFS on a user account on my standalone XP Pro
> workstation. I wish to be able to access to them from the admin account. I
> therefore wish to enable the admin account as a data recovery agent. I have
> done the following, while logged on to the admin account:
> used cipher /R:filename
> to generate a certificate (and private key)
> used gpedit to add this certificate to the encryption policy.
>
> However, I still cannot decrypt newly created files from the admin account;
> there seems to be another step I need to complete. Perhaps, I need to import
> the private key I created into the admin account.
>
> Can anyone tell me what I need to do, and tell me or point me to how?
>
>


In order to designate the Administrator as a DRA, the computer must be
part of a Domain; and even then, it is the Domain Administrator who can
be the DRA, not the local Administrator. This alternate access method
is unavailable on stand-alone PCs.



--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

"Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:O9R%23Yv6DGHA.2292@tk2msftngp13.phx.gbl...
> alexm wrote:
> > First, I apologize; this question is rather simple, and has already
been
> > addressed. But I still can't get it to work.
> >
> > I encyrpt files with EFS on a user account on my standalone XP Pro
> > workstation. I wish to be able to access to them from the admin
account. I
> > therefore wish to enable the admin account as a data recovery agent.
I have
> > done the following, while logged on to the admin account:
> > used cipher /R:filename
> > to generate a certificate (and private key)
> > used gpedit to add this certificate to the encryption policy.
> >
> > However, I still cannot decrypt newly created files from the admin
account;
> > there seems to be another step I need to complete. Perhaps, I need
to import
> > the private key I created into the admin account.
> >
> > Can anyone tell me what I need to do, and tell me or point me to
how?
> >
>
> In order to designate the Administrator as a DRA, the computer must be
> part of a Domain; and even then, it is the Domain Administrator who
can
> be the DRA, not the local Administrator. This alternate access method
> is unavailable on stand-alone PCs.
>
>
> Bruce Chambers
>

From what I read, you can set the administrator (at least
that was what it looked like) as the DRA without being
part of a domain. I tried that on mine (xp pro) and when
I view the file properties - advanced - details, it shows
both me as the key holder and the administrator as the
DRA.
http://support.microsoft.com/default...241201&sd=tech
http://support.microsoft.com/default...b;en-us;223316
about 1/2 way down this one is some more info:
http://www.techzonez.com/forums/arch...p/t-13009.html
a multi-part article on encryption and recovery agents
http://www.practicalpc.co.uk/computi...xpencrypt1.htm
Here is some info from MS on "adding a recovery agent to a local
computer" (watch the link wrap)
http://www.microsoft.com/resources/d...t.mspx?pf=true
also look at
http://www.microsoft.com/resources/d..._overview.mspx
There is also a bunch of info in the XP Resource Kit.

mikey

Mike Fields wrote:
> "Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
> news:O9R%23Yv6DGHA.2292@tk2msftngp13.phx.gbl...
>
>>alexm wrote:
>>
>>>First, I apologize; this question is rather simple, and has already
>
> been
>
>>>addressed. But I still can't get it to work.
>>>
>>>I encyrpt files with EFS on a user account on my standalone XP Pro
>>>workstation. I wish to be able to access to them from the admin
>
> account. I
>
>>>therefore wish to enable the admin account as a data recovery agent.
>
> I have
>
>>>done the following, while logged on to the admin account:
>>>used cipher /R:filename
>>>to generate a certificate (and private key)
>>>used gpedit to add this certificate to the encryption policy.
>>>
>>>However, I still cannot decrypt newly created files from the admin
>
> account;
>
>>>there seems to be another step I need to complete. Perhaps, I need
>
> to import
>
>>>the private key I created into the admin account.
>>>
>>>Can anyone tell me what I need to do, and tell me or point me to
>
> how?
>
>>In order to designate the Administrator as a DRA, the computer must be
>>part of a Domain; and even then, it is the Domain Administrator who
>
> can
>
>>be the DRA, not the local Administrator. This alternate access method
>>is unavailable on stand-alone PCs.
>>
>>
>>Bruce Chambers
>>
>
>
> From what I read, you can set the administrator (at least
> that was what it looked like) as the DRA without being
> part of a domain. I tried that on mine (xp pro) and when
> I view the file properties - advanced - details, it shows
> both me as the key holder and the administrator as the
> DRA.
> http://support.microsoft.com/default...241201&sd=tech
> http://support.microsoft.com/default...b;en-us;223316
> about 1/2 way down this one is some more info:
> http://www.techzonez.com/forums/arch...p/t-13009.html
> a multi-part article on encryption and recovery agents
> http://www.practicalpc.co.uk/computi...xpencrypt1.htm
> Here is some info from MS on "adding a recovery agent to a local
> computer" (watch the link wrap)
> http://www.microsoft.com/resources/d...t.mspx?pf=true
> also look at
> http://www.microsoft.com/resources/d..._overview.mspx
> There is also a bunch of info in the XP Resource Kit.
>
> mikey
>


My mistake, then. Thanks for the correction. It would also appear
that this KB Article may be pertinent:

The Local Administrator Is Not Always the Default Encrypting File System
Recovery Agent
http://support.microsoft.com/kb/255026/


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

"Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:uo500F8DGHA.1120@TK2MSFTNGP11.phx.gbl...
> Mike Fields wrote:
> > "Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
> > news:O9R%23Yv6DGHA.2292@tk2msftngp13.phx.gbl...
> >
> >>alexm wrote:
> >>
> >>>First, I apologize; this question is rather simple, and has already
> >
> > been
> >
> >>>addressed. But I still can't get it to work.
> >>>
> >>>I encyrpt files with EFS on a user account on my standalone XP Pro
> >>>workstation. I wish to be able to access to them from the admin
> >
> > account. I
> >
> >>>therefore wish to enable the admin account as a data recovery
agent.
> >
> > I have
> >
> >>>done the following, while logged on to the admin account:
> >>>used cipher /R:filename
> >>>to generate a certificate (and private key)
> >>>used gpedit to add this certificate to the encryption policy.
> >>>
> >>>However, I still cannot decrypt newly created files from the admin
> >
> > account;
> >
> >>>there seems to be another step I need to complete. Perhaps, I need
> >
> > to import
> >
> >>>the private key I created into the admin account.
> >>>
> >>>Can anyone tell me what I need to do, and tell me or point me to
> >
> > how?
> >
> >>In order to designate the Administrator as a DRA, the computer must
be
> >>part of a Domain; and even then, it is the Domain Administrator who
> >
> > can
> >
> >>be the DRA, not the local Administrator. This alternate access
method
> >>is unavailable on stand-alone PCs.
> >>
> >>
> >>Bruce Chambers
> >>
> >
> >
> > From what I read, you can set the administrator (at least
> > that was what it looked like) as the DRA without being
> > part of a domain. I tried that on mine (xp pro) and when
> > I view the file properties - advanced - details, it shows
> > both me as the key holder and the administrator as the
> > DRA.
> >
http://support.microsoft.com/default...241201&sd=tech
> > http://support.microsoft.com/default...b;en-us;223316
> > about 1/2 way down this one is some more info:
> > http://www.techzonez.com/forums/arch...p/t-13009.html
> > a multi-part article on encryption and recovery agents
> > http://www.practicalpc.co.uk/computi...xpencrypt1.htm
> > Here is some info from MS on "adding a recovery agent to a local
> > computer" (watch the link wrap)
> >
http://www.microsoft.com/resources/d...t.mspx?pf=true
> > also look at
> >
http://www.microsoft.com/resources/d..._overview.mspx
> > There is also a bunch of info in the XP Resource Kit.
> >
> > mikey
>
> My mistake, then. Thanks for the correction. It would also appear
> that this KB Article may be pertinent:
>
> The Local Administrator Is Not Always the Default Encrypting File
System
> Recovery Agent
> http://support.microsoft.com/kb/255026/
>
> Bruce Chambers
>

Note that that only applies to Windows 2000 -- XP Pro does NOT
require you to have a DRA (in 2k, that is one way to turn off
EFS is to simply not have a DRA). XP allows you to only have
yourself as the encryptor with no DRA required (and yet another
trap door to drop through). Note also that in XP they have plugged
a security hole that was in 2000 - in 2k, you (as an admin) could
reset the users password to whatever you wanted then decrypt
their files with their key (since you could now log in as them). In XP,
if someone other than the user changes their password, it breaks the
decryption (so be careful resetting a user password for them in a
workstation environment).

mikey

FYI a domain administrator can reset a domain user's password to gain access
to EFS files that the domain user encrypted as the user. However what you
describe is true for non domain user accounts in that resetting the user
password will not allow access to the EFS files. --- Steve


"Mike Fields" <spam_me_not_mr.gadget2@comcast.net> wrote in message
news:O3sOkg8DGHA.3868@TK2MSFTNGP09.phx.gbl...
>
> "Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
> news:uo500F8DGHA.1120@TK2MSFTNGP11.phx.gbl...
>> Mike Fields wrote:
>> > "Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
>> > news:O9R%23Yv6DGHA.2292@tk2msftngp13.phx.gbl...
>> >
>> >>alexm wrote:
>> >>
>> >>>First, I apologize; this question is rather simple, and has already
>> >
>> > been
>> >
>> >>>addressed. But I still can't get it to work.
>> >>>
>> >>>I encyrpt files with EFS on a user account on my standalone XP Pro
>> >>>workstation. I wish to be able to access to them from the admin
>> >
>> > account. I
>> >
>> >>>therefore wish to enable the admin account as a data recovery
> agent.
>> >
>> > I have
>> >
>> >>>done the following, while logged on to the admin account:
>> >>>used cipher /R:filename
>> >>>to generate a certificate (and private key)
>> >>>used gpedit to add this certificate to the encryption policy.
>> >>>
>> >>>However, I still cannot decrypt newly created files from the admin
>> >
>> > account;
>> >
>> >>>there seems to be another step I need to complete. Perhaps, I need
>> >
>> > to import
>> >
>> >>>the private key I created into the admin account.
>> >>>
>> >>>Can anyone tell me what I need to do, and tell me or point me to
>> >
>> > how?
>> >
>> >>In order to designate the Administrator as a DRA, the computer must
> be
>> >>part of a Domain; and even then, it is the Domain Administrator who
>> >
>> > can
>> >
>> >>be the DRA, not the local Administrator. This alternate access
> method
>> >>is unavailable on stand-alone PCs.
>> >>
>> >>
>> >>Bruce Chambers
>> >>
>> >
>> >
>> > From what I read, you can set the administrator (at least
>> > that was what it looked like) as the DRA without being
>> > part of a domain. I tried that on mine (xp pro) and when
>> > I view the file properties - advanced - details, it shows
>> > both me as the key holder and the administrator as the
>> > DRA.
>> >
> http://support.microsoft.com/default...241201&sd=tech
>> > http://support.microsoft.com/default...b;en-us;223316
>> > about 1/2 way down this one is some more info:
>> > http://www.techzonez.com/forums/arch...p/t-13009.html
>> > a multi-part article on encryption and recovery agents
>> > http://www.practicalpc.co.uk/computi...xpencrypt1.htm
>> > Here is some info from MS on "adding a recovery agent to a local
>> > computer" (watch the link wrap)
>> >
> http://www.microsoft.com/resources/d...t.mspx?pf=true
>> > also look at
>> >
> http://www.microsoft.com/resources/d..._overview.mspx
>> > There is also a bunch of info in the XP Resource Kit.
>> >
>> > mikey
>>
>> My mistake, then. Thanks for the correction. It would also appear
>> that this KB Article may be pertinent:
>>
>> The Local Administrator Is Not Always the Default Encrypting File
> System
>> Recovery Agent
>> http://support.microsoft.com/kb/255026/
>>
>> Bruce Chambers
>>
>
> Note that that only applies to Windows 2000 -- XP Pro does NOT
> require you to have a DRA (in 2k, that is one way to turn off
> EFS is to simply not have a DRA). XP allows you to only have
> yourself as the encryptor with no DRA required (and yet another
> trap door to drop through). Note also that in XP they have plugged
> a security hole that was in 2000 - in 2k, you (as an admin) could
> reset the users password to whatever you wanted then decrypt
> their files with their key (since you could now log in as them). In XP,
> if someone other than the user changes their password, it breaks the
> decryption (so be careful resetting a user password for them in a
> workstation environment).
>
> mikey
>

Yes the RA must be logged onto a computer where the RA private key exists to
decrypt files as the RA. The .cer file contains the certificate and only the
public key. The .pfx file would contain the private key. --- Steve

http://support.microsoft.com/default...b;EN-US;223316 --- EFS
best practices
http://www.microsoft.com/technet/pro.../dataprot.mspx
--- detailed info on EFS recovery.

"alexm" <alexm@discussions.microsoft.com> wrote in message
news:CED09171-F5B5-4E90-8BE8-AEF3365A9B00@microsoft.com...
> First, I apologize; this question is rather simple, and has already been
> addressed. But I still can't get it to work.
>
> I encyrpt files with EFS on a user account on my standalone XP Pro
> workstation. I wish to be able to access to them from the admin account.
> I
> therefore wish to enable the admin account as a data recovery agent. I
> have
> done the following, while logged on to the admin account:
> used cipher /R:filename
> to generate a certificate (and private key)
> used gpedit to add this certificate to the encryption policy.
>
> However, I still cannot decrypt newly created files from the admin
> account;
> there seems to be another step I need to complete. Perhaps, I need to
> import
> the private key I created into the admin account.
>
> Can anyone tell me what I need to do, and tell me or point me to how?
>
> Thanks!