Hi all

I have never even once been able to recover a file with
the DRA after taking ownership on the file. Is'nt that
what it's all about?

I works fine if I import the certificate of the user
(.pfx file) to the administrator, but admin is not
suppose to have to have all the certificates of the user
is he??

I anyone is successfully using the DRA, please let me
know. I'm thankful for any hint here.

David Hopstadius

Hi David,

To Create the Data Recovery Agent:

1. From a command prompt type: CIPHER /R:filename
/R Generates a PFX and a CER file with a self-signed EFS recovery
certificate in them.
filename= A filename without extensions

This command will generate filename.PFX (for data recovery) and
filename.CER (for
use in the policy). The certificate is generated in memory and deleted when
the
files are generated. Once the keys have been generated the certificate
should be
imported into the local policy and the private keys stored in a secure
location.

2. Open the Local Policy Editor
Go to Public Key Policies\Encrypting File System. Right click and choose
to add a
data recovery agent.
This starts the Data Recovery Agent Wizard choose to browse files to your
filename.cer that you created

3. Now open up the MMC and add the certificate stap-in. Choose the logged
on
user. Go to the personal store of that user and right click and go to all
tasks and
choose to import certificate. Browse to the filename.pfx that you created.
You
will have to change the drop down box to pfx files. It will default to
.cer files.
Enter the password that you specifed when you created the keys with cipher
Place
it in the personal store

4. It is always a good item to export the DRA key and place it in a safe
location.


More information:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/winxp
pro/support/dataprot.asp

Q308991 HOW TO: Share Access to an Encrypted File in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q308991


Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Online Support Professional



This posting is provided ¡°AS IS¡± with no warranties, and confers no
rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "David Hopstadius" >
| Sender: "David Hopstadius" >
| Subject: Anyone out there actually using the DRA (Data Recovery Agent)
| Date: Wed, 16 Apr 2003 01:54:11 -0700
| Lines: 15
| Message-ID: >
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcMD9b/bCqH3alcbTEC3Ij1nYD4/Wg==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.windowsxp.security_admin
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.windowsxp.security_admin:55154
| NNTP-Posting-Host: TK2MSFTNGXA05 10.40.1.49
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hi all
|
| I have never even once been able to recover a file with
| the DRA after taking ownership on the file. Is'nt that
| what it's all about?
|
| I works fine if I import the certificate of the user
| (.pfx file) to the administrator, but admin is not
| suppose to have to have all the certificates of the user
| is he??
|
| I anyone is successfully using the DRA, please let me
| know. I'm thankful for any hint here.
|
| David Hopstadius
|

Thanks!

Now it works fine in a workgroup, but I can't make it=20
work in the 2000 (AD) domain. When I read the MS doc on=20
the subject it seems that it should all work=20
automatically ahen you join the domain. Yes, the policy=20
is in place, admin becomes DRA for all files, but when he=20
tries he still can't recover them!!!

How are you suppose to do this??

Thankful for any hint
/David Hopstadius
>-----Original Message-----
>Hi David,
>
>To Create the Data Recovery Agent:
>
>1. From a command prompt type: CIPHER /R:filename
>/R Generates a PFX and a CER file with a self-signed EFS=20
recovery
>certificate in them.
>filename=3D A filename without extensions
>
>This command will generate filename.PFX (for data=20
recovery) and=20
>filename.CER (for=20
>use in the policy). The certificate is generated in=20
memory and deleted when=20
>the=20
>files are generated. Once the keys have been generated=20
the certificate=20
>should be=20
>imported into the local policy and the private keys=20
stored in a secure=20
>location.=20
>
>2. Open the Local Policy Editor
>Go to Public Key Policies\Encrypting File System. =20
Right click and choose=20
>to add a=20
>data recovery agent. =20
>This starts the Data Recovery Agent Wizard choose to=20
browse files to your=20
>filename.cer that you created
>
>3. Now open up the MMC and add the certificate stap-
in. Choose the logged=20
>on=20
>user. Go to the personal store of that user and right=20
click and go to all=20
>tasks and=20
>choose to import certificate. Browse to the=20
filename.pfx that you created.=20
>You=20
>will have to change the drop down box to pfx files. It=20
will default to=20
>.cer files.=20
>Enter the password that you specifed when you created=20
the keys with cipher =20
>Place=20
>it in the personal store
>
>4. It is always a good item to export the DRA key and=20
place it in a safe=20
>location.=20
>
>
>More information:
>http://www.microsoft.com/technet/treeview/default.asp?
url=3D/technet/prodtechn
>ol/winxp
>pro/support/dataprot.asp
>
>Q308991 HOW TO: Share Access to an Encrypted File in=20
Windows XP
>http://support.microsoft.com/default.aspx?scid=3Dkb;EN-
US;Q308991
>
>
>Thanks for using Microsoft News Group!
>
>Sincerely,
>
>Steven Liu
>
>Online Support Professional
>

>
>This posting is provided =A1=B0AS IS=A1=B1 with no warranties,=20
and confers no=20
>rights.
>--------------------
>| Content-Class: urn:content-classes:message
>| From: "David Hopstadius" >
>| Sender: "David Hopstadius" >
>| Subject: Anyone out there actually using the DRA (Data=20
Recovery Agent)
>| Date: Wed, 16 Apr 2003 01:54:11 -0700
>| Lines: 15
>| Message-ID: >
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset=3D"iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| Thread-Index: AcMD9b/bCqH3alcbTEC3Ij1nYD4/Wg=3D=3D
>| X-MimeOLE: Produced By Microsoft MimeOLE=20
V5.50.4910.0300
>| Newsgroups: microsoft.public.windowsxp.security_admin
>| Path: cpmsftngxa06.phx.gbl
>| Xref: cpmsftngxa06.phx.gbl=20
microsoft.public.windowsxp.security_admin:55154
>| NNTP-Posting-Host: TK2MSFTNGXA05 10.40.1.49
>| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
>|=20
>| Hi all
>|=20
>| I have never even once been able to recover a file=20
with=20
>| the DRA after taking ownership on the file. Is'nt that=20
>| what it's all about?
>|=20
>| I works fine if I import the certificate of the user=20
>| (.pfx file) to the administrator, but admin is not=20
>| suppose to have to have all the certificates of the=20
user=20
>| is he??
>|=20
>| I anyone is successfully using the DRA, please let me=20
>| know. I'm thankful for any hint here.
>|=20
>| David Hopstadius
>|=20
>
>.
>

Hi David,

We can refer to the following article:

241201 HOW TO: Back Up the Recovery Agent Encrypting File System Private
Key in
http://support.microsoft.com/?id=241201

255742 Methods for Recovering Encrypted Data Files
http://support.microsoft.com/?id=255742

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Online Support Professional



This posting is provided ¡°AS IS¡± with no warranties, and confers no
rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "David Hopstadius" >
| Sender: "David Hopstadius" >
| References: >
>
| Subject: RE: Anyone out there actually using the DRA (Data Recovery Agent)
| Date: Thu, 24 Apr 2003 11:30:19 -0700
| Lines: 138
| Message-ID: >
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: quoted-printable
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcMKj49FWJbWX9qURcqeucdLVNijRg==
| Newsgroups: microsoft.public.windowsxp.security_admin
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.windowsxp.security_admin:56272
| NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Thanks!
| Now it works fine in a workgroup, but I can't make it
| work in the 2000 (AD) domain. When I read the MS doc on
| the subject it seems that it should all work
| automatically ahen you join the domain. Yes, the policy
| is in place, admin becomes DRA for all files, but when he
| tries he still can't recover them!!!
| How are you suppose to do this??
| Thankful for any hint
| /David Hopstadius
| >-----Original Message-----
| >Hi David,
| >
| >To Create the Data Recovery Agent:
| >
| >1. From a command prompt type: CIPHER /R:filename
| >/R Generates a PFX and a CER file with a self-signed EFS
| recovery
| >certificate in them.
| >filename= A filename without extensions
| >
| >This command will generate filename.PFX (for data
| recovery) and
| >filename.CER (for
| >use in the policy). The certificate is generated in
| memory and deleted when
| >the
| >files are generated. Once the keys have been generated
| the certificate
| >should be
| >imported into the local policy and the private keys
| stored in a secure
| >location.
| >
| >2. Open the Local Policy Editor
| >Go to Public Key Policies\Encrypting File System.
| Right click and choose
| >to add a
| >data recovery agent.
| >This starts the Data Recovery Agent Wizard choose to
| browse files to your
| >filename.cer that you created
| >
| >3. Now open up the MMC and add the certificate stap-
| in. Choose the logged
| >on
| >user. Go to the personal store of that user and right
| click and go to all
| >tasks and
| >choose to import certificate. Browse to the
| filename.pfx that you created.
| >You
| >will have to change the drop down box to pfx files. It
| will default to
| >.cer files.
| >Enter the password that you specifed when you created
| the keys with cipher
| >Place
| >it in the personal store
| >
| >4. It is always a good item to export the DRA key and
| place it in a safe
| >location.
| >
| >
| >More information:
| >http://www.microsoft.com/technet/treeview/default.asp?
| url=/technet/prodtechn
| >ol/winxp
| >pro/support/dataprot.asp
| >
| >Q308991 HOW TO: Share Access to an Encrypted File in
| Windows XP
| >http://support.microsoft.com/default.aspx?scid=kb;EN-
| US;Q308991
| >
| >
| >Thanks for using Microsoft News Group!
| >
| >Sincerely,
| >
| >Steven Liu
| >
| >Online Support Professional
| >
|
| >
| >This posting is provided ¡°AS IS¡± with no warranties,
| and confers no
| >rights.
| >--------------------
| >| Content-Class: urn:content-classes:message
| >| From: "David Hopstadius" >
| >| Sender: "David Hopstadius" >
| >| Subject: Anyone out there actually using the DRA (Data
| Recovery Agent)
| >| Date: Wed, 16 Apr 2003 01:54:11 -0700
| >| Lines: 15
| >| Message-ID: >
| >| MIME-Version: 1.0
| >| Content-Type: text/plain;
| >| charset="iso-8859-1"
| >| Content-Transfer-Encoding: 7bit
| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| Thread-Index: AcMD9b/bCqH3alcbTEC3Ij1nYD4/Wg==
| >| X-MimeOLE: Produced By Microsoft MimeOLE
| V5.50.4910.0300
| >| Newsgroups: microsoft.public.windowsxp.security_admin
| >| Path: cpmsftngxa06.phx.gbl
| >| Xref: cpmsftngxa06.phx.gbl
| microsoft.public.windowsxp.security_admin:55154
| >| NNTP-Posting-Host: TK2MSFTNGXA05 10.40.1.49
| >| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
| >|
| >| Hi all
| >|
| >| I have never even once been able to recover a file
| with
| >| the DRA after taking ownership on the file. Is'nt that
| >| what it's all about?
| >|
| >| I works fine if I import the certificate of the user
| >| (.pfx file) to the administrator, but admin is not
| >| suppose to have to have all the certificates of the
| user
| >| is he??
| >|
| >| I anyone is successfully using the DRA, please let me
| >| know. I'm thankful for any hint here.
| >|
| >| David Hopstadius
| >|
| >
| >.
| >
|