Hi ms folks !

I'm a bit stressed, my users work with their efs certificates and do a lot
encrypting.
I now discovered, that if i look to encryption details of a file, there is
no RA displayed.
But i configured two accounts as RA 's

What can i do ?

Domain Policy is defined, configured.
when i look the the local security policy of a domain computer i cannot see
anything
= "no policy defined"

Pls. help !
thank you very much
Daniel

Just because you can not see it in Local Security Policy does not mean that
it is not enabled as that just means there is nothing defined in Local
Security Policy. Run rsop.msc on a computer to see if it shows configured
via your domain Group Policy and you can also examine the properties of an
EFS file in properties/advanced - details [or use efsinfo] to see if a RA is
associated with the EFS file. --- Steve


"daniel_theracer" > wrote in
message ...
> Hi ms folks !
>
> I'm a bit stressed, my users work with their efs certificates and do a lot
> encrypting.
> I now discovered, that if i look to encryption details of a file, there is
> no RA displayed.
> But i configured two accounts as RA 's
>
> What can i do ?
>
> Domain Policy is defined, configured.
> when i look the the local security policy of a domain computer i cannot
> see
> anything
> = "no policy defined"
>
> Pls. help !
> thank you very much
> Daniel

Hi Steve !

Sorry, for misunderstood,

the domain group policy is defined, autoenrollment enabled, two accounts
entered as recovery agents..

on the client all group policies are applied, but in the details of an efs
encrypted file i still cannot see any RA ....
regards
Daniel

"Steven L Umbach" wrote:

> Just because you can not see it in Local Security Policy does not mean that
> it is not enabled as that just means there is nothing defined in Local
> Security Policy. Run rsop.msc on a computer to see if it shows configured
> via your domain Group Policy and you can also examine the properties of an
> EFS file in properties/advanced - details [or use efsinfo] to see if a RA is
> associated with the EFS file. --- Steve
>
>
> "daniel_theracer" > wrote in
> message ...
> > Hi ms folks !
> >
> > I'm a bit stressed, my users work with their efs certificates and do a lot
> > encrypting.
> > I now discovered, that if i look to encryption details of a file, there is
> > no RA displayed.
> > But i configured two accounts as RA 's
> >
> > What can i do ?
> >
> > Domain Policy is defined, configured.
> > when i look the the local security policy of a domain computer i cannot
> > see
> > anything
> > = "no policy defined"
> >
> > Pls. help !
> > thank you very much
> > Daniel
>
>
>

Did running rsop.msc on that computer show the RA was defined by the domain
GPO?? Possibly the file was encrypted before a RA was configured and has not
been access since. Try opening the file to see if a RA shows after closing
it or creating a new EFS file to see what shows. If that all fails then
maybe there is a problem with GP applying to the computer. Usually that will
show as userenv errors/warning in the application log. The support tool
gpresult can also show what Group Policies are being applied to the computer
and the last time they were applied. The certificates that you added to the
domain GP need to be RA certificates when you view them. --- Steve


"daniel_theracer" > wrote in
message ...
> Hi Steve !
>
> Sorry, for misunderstood,
>
> the domain group policy is defined, autoenrollment enabled, two accounts
> entered as recovery agents..
>
> on the client all group policies are applied, but in the details of an efs
> encrypted file i still cannot see any RA ....
> regards
> Daniel
>
> "Steven L Umbach" wrote:
>
>> Just because you can not see it in Local Security Policy does not mean
>> that
>> it is not enabled as that just means there is nothing defined in Local
>> Security Policy. Run rsop.msc on a computer to see if it shows configured
>> via your domain Group Policy and you can also examine the properties of
>> an
>> EFS file in properties/advanced - details [or use efsinfo] to see if a RA
>> is
>> associated with the EFS file. --- Steve
>>
>>
>> "daniel_theracer" > wrote in
>> message ...
>> > Hi ms folks !
>> >
>> > I'm a bit stressed, my users work with their efs certificates and do a
>> > lot
>> > encrypting.
>> > I now discovered, that if i look to encryption details of a file, there
>> > is
>> > no RA displayed.
>> > But i configured two accounts as RA 's
>> >
>> > What can i do ?
>> >
>> > Domain Policy is defined, configured.
>> > when i look the the local security policy of a domain computer i cannot
>> > see
>> > anything
>> > = "no policy defined"
>> >
>> > Pls. help !
>> > thank you very much
>> > Daniel
>>
>>
>>

Hi Steven !

Thank you for your tips....

gpresult says, all policies applied successfully,
especially the EFS Recovery Policy
I checked the certificates twice, they are made out of a EFS Recovery Template

i created a file and encrypted it 4 mins. ago, no RA is defined....

is there a possibility to reset the efs portion of windows xp that it
reloads gpo settings ?

We now have several users, who need their files recovered.....
bad situation

regards
daniel


"Steven L Umbach" wrote:

> Did running rsop.msc on that computer show the RA was defined by the domain
> GPO?? Possibly the file was encrypted before a RA was configured and has not
> been access since. Try opening the file to see if a RA shows after closing
> it or creating a new EFS file to see what shows. If that all fails then
> maybe there is a problem with GP applying to the computer. Usually that will
> show as userenv errors/warning in the application log. The support tool
> gpresult can also show what Group Policies are being applied to the computer
> and the last time they were applied. The certificates that you added to the
> domain GP need to be RA certificates when you view them. --- Steve
>
>
> "daniel_theracer" > wrote in
> message ...
> > Hi Steve !
> >
> > Sorry, for misunderstood,
> >
> > the domain group policy is defined, autoenrollment enabled, two accounts
> > entered as recovery agents..
> >
> > on the client all group policies are applied, but in the details of an efs
> > encrypted file i still cannot see any RA ....
> > regards
> > Daniel
> >
> > "Steven L Umbach" wrote:
> >
> >> Just because you can not see it in Local Security Policy does not mean
> >> that
> >> it is not enabled as that just means there is nothing defined in Local
> >> Security Policy. Run rsop.msc on a computer to see if it shows configured
> >> via your domain Group Policy and you can also examine the properties of
> >> an
> >> EFS file in properties/advanced - details [or use efsinfo] to see if a RA
> >> is
> >> associated with the EFS file. --- Steve
> >>
> >>
> >> "daniel_theracer" > wrote in
> >> message ...
> >> > Hi ms folks !
> >> >
> >> > I'm a bit stressed, my users work with their efs certificates and do a
> >> > lot
> >> > encrypting.
> >> > I now discovered, that if i look to encryption details of a file, there
> >> > is
> >> > no RA displayed.
> >> > But i configured two accounts as RA 's
> >> >
> >> > What can i do ?
> >> >
> >> > Domain Policy is defined, configured.
> >> > when i look the the local security policy of a domain computer i cannot
> >> > see
> >> > anything
> >> > = "no policy defined"
> >> >
> >> > Pls. help !
> >> > thank you very much
> >> > Daniel
> >>
> >>
> >>
>
>
>

On the computer where you created the EFS files that do not show a RA try
running rsop.msc and then look at the results [if any] under computer
configuration/windows settings/security settings/public key
policies/encrypted file system. Does anything [such as RA certificates] show
there? It should if that computer is in the scope of management of the Group
Policy that has the RAs configured which should be all computers if done at
the domain level and authenticated users have read and apply permissions to
the GPO as shown in the properties/security of the GPO. if certificates show
there are they valid as in that they have not expired as shown in valid from
dates on the general page? Group Policy settings can be forced to refresh
with the command gpupdate /force when run on the domain workstation. If
rsop.msc does not show the certificates and you feel that they should show
because of domain Group Policy configuration you may have a problem with DNS
configuration in your domain and to start with I would review the ADS DNS
FAQ at the link below to make sure your DNS is correct. It would also be a
good idea to run the support tool netdiag on the domain controllers and
domain workstation to see if any problems are found such as for dns, dc
discovery, domain membership, kerberos, and trust/secure channel. I would
also run gpotool on at least one domain controller [such as PDC fsmo] to see
if there is a problem with Group Policy replication or version numbers. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382


"daniel_theracer" > wrote in
message ...
> Hi Steven !
>
> Thank you for your tips....
>
> gpresult says, all policies applied successfully,
> especially the EFS Recovery Policy
> I checked the certificates twice, they are made out of a EFS Recovery
> Template
>
> i created a file and encrypted it 4 mins. ago, no RA is defined....
>
> is there a possibility to reset the efs portion of windows xp that it
> reloads gpo settings ?
>
> We now have several users, who need their files recovered.....
> bad situation
>
> regards
> daniel
>
>
> "Steven L Umbach" wrote:
>
>> Did running rsop.msc on that computer show the RA was defined by the
>> domain
>> GPO?? Possibly the file was encrypted before a RA was configured and has
>> not
>> been access since. Try opening the file to see if a RA shows after
>> closing
>> it or creating a new EFS file to see what shows. If that all fails then
>> maybe there is a problem with GP applying to the computer. Usually that
>> will
>> show as userenv errors/warning in the application log. The support tool
>> gpresult can also show what Group Policies are being applied to the
>> computer
>> and the last time they were applied. The certificates that you added to
>> the
>> domain GP need to be RA certificates when you view them. --- Steve
>>
>>
>> "daniel_theracer" > wrote in
>> message ...
>> > Hi Steve !
>> >
>> > Sorry, for misunderstood,
>> >
>> > the domain group policy is defined, autoenrollment enabled, two
>> > accounts
>> > entered as recovery agents..
>> >
>> > on the client all group policies are applied, but in the details of an
>> > efs
>> > encrypted file i still cannot see any RA ....
>> > regards
>> > Daniel
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Just because you can not see it in Local Security Policy does not mean
>> >> that
>> >> it is not enabled as that just means there is nothing defined in Local
>> >> Security Policy. Run rsop.msc on a computer to see if it shows
>> >> configured
>> >> via your domain Group Policy and you can also examine the properties
>> >> of
>> >> an
>> >> EFS file in properties/advanced - details [or use efsinfo] to see if a
>> >> RA
>> >> is
>> >> associated with the EFS file. --- Steve
>> >>
>> >>
>> >> "daniel_theracer" > wrote in
>> >> message ...
>> >> > Hi ms folks !
>> >> >
>> >> > I'm a bit stressed, my users work with their efs certificates and do
>> >> > a
>> >> > lot
>> >> > encrypting.
>> >> > I now discovered, that if i look to encryption details of a file,
>> >> > there
>> >> > is
>> >> > no RA displayed.
>> >> > But i configured two accounts as RA 's
>> >> >
>> >> > What can i do ?
>> >> >
>> >> > Domain Policy is defined, configured.
>> >> > when i look the the local security policy of a domain computer i
>> >> > cannot
>> >> > see
>> >> > anything
>> >> > = "no policy defined"
>> >> >
>> >> > Pls. help !
>> >> > thank you very much
>> >> > Daniel
>> >>
>> >>
>> >>
>>
>>
>>

Hi Steven !

Thank you again for your help,

rsop.msc reports both certificates as RA = File Recovery Agents.
We have a single domain with 11 DC's around the world, about 900 Users, with
alot of group policies, they are all working fine.
All policies are successfully replicated all over the domain.
random RSOP Queries for sample users and machines all tell the same.
EFS enabled, both certificates as RA defined.

dcdiag and netdiag on relevant domain controllers completely passed.
also our dns is well configured.

the one and only point i remember is, that this cert. auth. is our 3rd one.
we uninstalled the other ones in the past and installed this cert. auth.
around 6 months ago.

all dc's have valid certificates from the actual ca, also the ra's are
created from this ca and are valid.

the root certificate is valid for clients through group policy (domain root
cert. auth.)

what else can we do ?

thank you for your help
regards
daniel


"Steven L Umbach" wrote:

> On the computer where you created the EFS files that do not show a RA try
> running rsop.msc and then look at the results [if any] under computer
> configuration/windows settings/security settings/public key
> policies/encrypted file system. Does anything [such as RA certificates] show
> there? It should if that computer is in the scope of management of the Group
> Policy that has the RAs configured which should be all computers if done at
> the domain level and authenticated users have read and apply permissions to
> the GPO as shown in the properties/security of the GPO. if certificates show
> there are they valid as in that they have not expired as shown in valid from
> dates on the general page? Group Policy settings can be forced to refresh
> with the command gpupdate /force when run on the domain workstation. If
> rsop.msc does not show the certificates and you feel that they should show
> because of domain Group Policy configuration you may have a problem with DNS
> configuration in your domain and to start with I would review the ADS DNS
> FAQ at the link below to make sure your DNS is correct. It would also be a
> good idea to run the support tool netdiag on the domain controllers and
> domain workstation to see if any problems are found such as for dns, dc
> discovery, domain membership, kerberos, and trust/secure channel. I would
> also run gpotool on at least one domain controller [such as PDC fsmo] to see
> if there is a problem with Group Policy replication or version numbers. ---
> Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>
>
> "daniel_theracer" > wrote in
> message ...
> > Hi Steven !
> >
> > Thank you for your tips....
> >
> > gpresult says, all policies applied successfully,
> > especially the EFS Recovery Policy
> > I checked the certificates twice, they are made out of a EFS Recovery
> > Template
> >
> > i created a file and encrypted it 4 mins. ago, no RA is defined....
> >
> > is there a possibility to reset the efs portion of windows xp that it
> > reloads gpo settings ?
> >
> > We now have several users, who need their files recovered.....
> > bad situation
> >
> > regards
> > daniel
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> Did running rsop.msc on that computer show the RA was defined by the
> >> domain
> >> GPO?? Possibly the file was encrypted before a RA was configured and has
> >> not
> >> been access since. Try opening the file to see if a RA shows after
> >> closing
> >> it or creating a new EFS file to see what shows. If that all fails then
> >> maybe there is a problem with GP applying to the computer. Usually that
> >> will
> >> show as userenv errors/warning in the application log. The support tool
> >> gpresult can also show what Group Policies are being applied to the
> >> computer
> >> and the last time they were applied. The certificates that you added to
> >> the
> >> domain GP need to be RA certificates when you view them. --- Steve
> >>
> >>
> >> "daniel_theracer" > wrote in
> >> message ...
> >> > Hi Steve !
> >> >
> >> > Sorry, for misunderstood,
> >> >
> >> > the domain group policy is defined, autoenrollment enabled, two
> >> > accounts
> >> > entered as recovery agents..
> >> >
> >> > on the client all group policies are applied, but in the details of an
> >> > efs
> >> > encrypted file i still cannot see any RA ....
> >> > regards
> >> > Daniel
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> Just because you can not see it in Local Security Policy does not mean
> >> >> that
> >> >> it is not enabled as that just means there is nothing defined in Local
> >> >> Security Policy. Run rsop.msc on a computer to see if it shows
> >> >> configured
> >> >> via your domain Group Policy and you can also examine the properties
> >> >> of
> >> >> an
> >> >> EFS file in properties/advanced - details [or use efsinfo] to see if a
> >> >> RA
> >> >> is
> >> >> associated with the EFS file. --- Steve
> >> >>
> >> >>
> >> >> "daniel_theracer" > wrote in
> >> >> message ...
> >> >> > Hi ms folks !
> >> >> >
> >> >> > I'm a bit stressed, my users work with their efs certificates and do
> >> >> > a
> >> >> > lot
> >> >> > encrypting.
> >> >> > I now discovered, that if i look to encryption details of a file,
> >> >> > there
> >> >> > is
> >> >> > no RA displayed.
> >> >> > But i configured two accounts as RA 's
> >> >> >
> >> >> > What can i do ?
> >> >> >
> >> >> > Domain Policy is defined, configured.
> >> >> > when i look the the local security policy of a domain computer i
> >> >> > cannot
> >> >> > see
> >> >> > anything
> >> >> > = "no policy defined"
> >> >> >
> >> >> > Pls. help !
> >> >> > thank you very much
> >> >> > Daniel
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Hi Daniel.

That is very curious that the computer acknowledges the RA by what you see in
rsop.msc but does not use them when EFS files are created. Offhand I can not
think of a reason why and have never seen that. I suggest that you also post in
Microsoft.public.security.crypto [it is available on news server
news.microsoft.com if your news server does not have it] and give the same
details as that rsop.msc shows the computer displays the RA, the certificates
appear valid, and that a newly encrypted file does not use it. If your
Certificate Authority is installed on Windows 2003 Enterprise Server you may
also want to look at using key archival for EFS certificates/private keys. ---
Steve

http://technet2.microsoft.com/WindowsServer/en/Library/296f87df-06c3-4e27-89ff-5283cb76fb811033.mspx
--- Key archival

"daniel_theracer" > wrote in message
...
> Hi Steven !
>
> Thank you again for your help,
>
> rsop.msc reports both certificates as RA = File Recovery Agents.
> We have a single domain with 11 DC's around the world, about 900 Users, with
> alot of group policies, they are all working fine.
> All policies are successfully replicated all over the domain.
> random RSOP Queries for sample users and machines all tell the same.
> EFS enabled, both certificates as RA defined.
>
> dcdiag and netdiag on relevant domain controllers completely passed.
> also our dns is well configured.
>
> the one and only point i remember is, that this cert. auth. is our 3rd one.
> we uninstalled the other ones in the past and installed this cert. auth.
> around 6 months ago.
>
> all dc's have valid certificates from the actual ca, also the ra's are
> created from this ca and are valid.
>
> the root certificate is valid for clients through group policy (domain root
> cert. auth.)
>
> what else can we do ?
>
> thank you for your help
> regards
> daniel
>
>
> "Steven L Umbach" wrote:
>
> > On the computer where you created the EFS files that do not show a RA try
> > running rsop.msc and then look at the results [if any] under computer
> > configuration/windows settings/security settings/public key
> > policies/encrypted file system. Does anything [such as RA certificates] show
> > there? It should if that computer is in the scope of management of the Group
> > Policy that has the RAs configured which should be all computers if done at
> > the domain level and authenticated users have read and apply permissions to
> > the GPO as shown in the properties/security of the GPO. if certificates show
> > there are they valid as in that they have not expired as shown in valid from
> > dates on the general page? Group Policy settings can be forced to refresh
> > with the command gpupdate /force when run on the domain workstation. If
> > rsop.msc does not show the certificates and you feel that they should show
> > because of domain Group Policy configuration you may have a problem with DNS
> > configuration in your domain and to start with I would review the ADS DNS
> > FAQ at the link below to make sure your DNS is correct. It would also be a
> > good idea to run the support tool netdiag on the domain controllers and
> > domain workstation to see if any problems are found such as for dns, dc
> > discovery, domain membership, kerberos, and trust/secure channel. I would
> > also run gpotool on at least one domain controller [such as PDC fsmo] to see
> > if there is a problem with Group Policy replication or version numbers. ---
> > Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
> >
> >
> > "daniel_theracer" > wrote in
> > message ...
> > > Hi Steven !
> > >
> > > Thank you for your tips....
> > >
> > > gpresult says, all policies applied successfully,
> > > especially the EFS Recovery Policy
> > > I checked the certificates twice, they are made out of a EFS Recovery
> > > Template
> > >
> > > i created a file and encrypted it 4 mins. ago, no RA is defined....
> > >
> > > is there a possibility to reset the efs portion of windows xp that it
> > > reloads gpo settings ?
> > >
> > > We now have several users, who need their files recovered.....
> > > bad situation
> > >
> > > regards
> > > daniel
> > >
> > >
> > > "Steven L Umbach" wrote:
> > >
> > >> Did running rsop.msc on that computer show the RA was defined by the
> > >> domain
> > >> GPO?? Possibly the file was encrypted before a RA was configured and has
> > >> not
> > >> been access since. Try opening the file to see if a RA shows after
> > >> closing
> > >> it or creating a new EFS file to see what shows. If that all fails then
> > >> maybe there is a problem with GP applying to the computer. Usually that
> > >> will
> > >> show as userenv errors/warning in the application log. The support tool
> > >> gpresult can also show what Group Policies are being applied to the
> > >> computer
> > >> and the last time they were applied. The certificates that you added to
> > >> the
> > >> domain GP need to be RA certificates when you view them. --- Steve
> > >>
> > >>
> > >> "daniel_theracer" > wrote in
> > >> message ...
> > >> > Hi Steve !
> > >> >
> > >> > Sorry, for misunderstood,
> > >> >
> > >> > the domain group policy is defined, autoenrollment enabled, two
> > >> > accounts
> > >> > entered as recovery agents..
> > >> >
> > >> > on the client all group policies are applied, but in the details of an
> > >> > efs
> > >> > encrypted file i still cannot see any RA ....
> > >> > regards
> > >> > Daniel
> > >> >
> > >> > "Steven L Umbach" wrote:
> > >> >
> > >> >> Just because you can not see it in Local Security Policy does not mean
> > >> >> that
> > >> >> it is not enabled as that just means there is nothing defined in Local
> > >> >> Security Policy. Run rsop.msc on a computer to see if it shows
> > >> >> configured
> > >> >> via your domain Group Policy and you can also examine the properties
> > >> >> of
> > >> >> an
> > >> >> EFS file in properties/advanced - details [or use efsinfo] to see if a
> > >> >> RA
> > >> >> is
> > >> >> associated with the EFS file. --- Steve
> > >> >>
> > >> >>
> > >> >> "daniel_theracer" > wrote in
> > >> >> message ...
> > >> >> > Hi ms folks !
> > >> >> >
> > >> >> > I'm a bit stressed, my users work with their efs certificates and do
> > >> >> > a
> > >> >> > lot
> > >> >> > encrypting.
> > >> >> > I now discovered, that if i look to encryption details of a file,
> > >> >> > there
> > >> >> > is
> > >> >> > no RA displayed.
> > >> >> > But i configured two accounts as RA 's
> > >> >> >
> > >> >> > What can i do ?
> > >> >> >
> > >> >> > Domain Policy is defined, configured.
> > >> >> > when i look the the local security policy of a domain computer i
> > >> >> > cannot
> > >> >> > see
> > >> >> > anything
> > >> >> > = "no policy defined"
> > >> >> >
> > >> >> > Pls. help !
> > >> >> > thank you very much
> > >> >> > Daniel
> > >> >>
> > >> >>
> > >> >>
> > >>
> > >>
> > >>
> >
> >
> >

The other thing I would look at is to make sure your RA certificates are not
revoked for some reason using the mmc Certificate Authority Management Console
to review revoked certificates. -- Steve

"Steven Umbach" > wrote in message
...
> Hi Daniel.
>
> That is very curious that the computer acknowledges the RA by what you see in
> rsop.msc but does not use them when EFS files are created. Offhand I can not
> think of a reason why and have never seen that. I suggest that you also post
in
> Microsoft.public.security.crypto [it is available on news server
> news.microsoft.com if your news server does not have it] and give the same
> details as that rsop.msc shows the computer displays the RA, the certificates
> appear valid, and that a newly encrypted file does not use it. If your
> Certificate Authority is installed on Windows 2003 Enterprise Server you may
> also want to look at using key archival for EFS certificates/private
ys. ---
> Steve
>
>
http://technet2.microsoft.com/WindowsServer/en/Library/296f87df-06c3-4e27-89ff-5283cb76fb811033.mspx
> --- Key archival
>
> "daniel_theracer" > wrote in message
> ...
> > Hi Steven !
> >
> > Thank you again for your help,
> >
> > rsop.msc reports both certificates as RA = File Recovery Agents.
> > We have a single domain with 11 DC's around the world, about 900 Users, with
> > alot of group policies, they are all working fine.
> > All policies are successfully replicated all over the domain.
> > random RSOP Queries for sample users and machines all tell the same.
> > EFS enabled, both certificates as RA defined.
> >
> > dcdiag and netdiag on relevant domain controllers completely passed.
> > also our dns is well configured.
> >
> > the one and only point i remember is, that this cert. auth. is our 3rd one.
> > we uninstalled the other ones in the past and installed this cert. auth.
> > around 6 months ago.
> >
> > all dc's have valid certificates from the actual ca, also the ra's are
> > created from this ca and are valid.
> >
> > the root certificate is valid for clients through group policy (domain root
> > cert. auth.)
> >
> > what else can we do ?
> >
> > thank you for your help
> > regards
> > daniel
> >
> >
> > "Steven L Umbach" wrote:
> >
> > > On the computer where you created the EFS files that do not show a RA try
> > > running rsop.msc and then look at the results [if any] under computer
> > > configuration/windows settings/security settings/public key
> > > policies/encrypted file system. Does anything [such as RA certificates]
show
> > > there? It should if that computer is in the scope of management of the
Group
> > > Policy that has the RAs configured which should be all computers if done
at
> > > the domain level and authenticated users have read and apply permissions
to
> > > the GPO as shown in the properties/security of the GPO. if certificates
show
> > > there are they valid as in that they have not expired as shown in valid
from
> > > dates on the general page? Group Policy settings can be forced to refresh
> > > with the command gpupdate /force when run on the domain workstation. If
> > > rsop.msc does not show the certificates and you feel that they should show
> > > because of domain Group Policy configuration you may have a problem with
DNS
> > > configuration in your domain and to start with I would review the ADS DNS
> > > FAQ at the link below to make sure your DNS is correct. It would also be
a
> > > good idea to run the support tool netdiag on the domain controllers and
> > > domain workstation to see if any problems are found such as for dns, dc
> > > discovery, domain membership, kerberos, and trust/secure channel. I would
> > > also run gpotool on at least one domain controller [such as PDC fsmo] to
see
> > > if there is a problem with Group Policy replication or version
umbers. ---
> > > Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
> > >
> > >
> > > "daniel_theracer" > wrote in
> > > message ...
> > > > Hi Steven !
> > > >
> > > > Thank you for your tips....
> > > >
> > > > gpresult says, all policies applied successfully,
> > > > especially the EFS Recovery Policy
> > > > I checked the certificates twice, they are made out of a EFS Recovery
> > > > Template
> > > >
> > > > i created a file and encrypted it 4 mins. ago, no RA is defined....
> > > >
> > > > is there a possibility to reset the efs portion of windows xp that it
> > > > reloads gpo settings ?
> > > >
> > > > We now have several users, who need their files recovered.....
> > > > bad situation
> > > >
> > > > regards
> > > > daniel
> > > >
> > > >
> > > > "Steven L Umbach" wrote:
> > > >
> > > >> Did running rsop.msc on that computer show the RA was defined by the
> > > >> domain
> > > >> GPO?? Possibly the file was encrypted before a RA was configured and
has
> > > >> not
> > > >> been access since. Try opening the file to see if a RA shows after
> > > >> closing
> > > >> it or creating a new EFS file to see what shows. If that all fails then
> > > >> maybe there is a problem with GP applying to the computer. Usually that
> > > >> will
> > > >> show as userenv errors/warning in the application log. The support tool
> > > >> gpresult can also show what Group Policies are being applied to the
> > > >> computer
> > > >> and the last time they were applied. The certificates that you added
to
> > > >> the
> > > >> domain GP need to be RA certificates when you view them. --- Steve
> > > >>
> > > >>
> > > >> "daniel_theracer" > wrote in
> > > >> message ...
> > > >> > Hi Steve !
> > > >> >
> > > >> > Sorry, for misunderstood,
> > > >> >
> > > >> > the domain group policy is defined, autoenrollment enabled, two
> > > >> > accounts
> > > >> > entered as recovery agents..
> > > >> >
> > > >> > on the client all group policies are applied, but in the details of
an
> > > >> > efs
> > > >> > encrypted file i still cannot see any RA ....
> > > >> > regards
> > > >> > Daniel
> > > >> >
> > > >> > "Steven L Umbach" wrote:
> > > >> >
> > > >> >> Just because you can not see it in Local Security Policy does not
mean
> > > >> >> that
> > > >> >> it is not enabled as that just means there is nothing defined in
Local
> > > >> >> Security Policy. Run rsop.msc on a computer to see if it shows
> > > >> >> configured
> > > >> >> via your domain Group Policy and you can also examine the properties
> > > >> >> of
> > > >> >> an
> > > >> >> EFS file in properties/advanced - details [or use efsinfo] to see if
a
> > > >> >> RA
> > > >> >> is
> > > >> >> associated with the EFS file. --- Steve
> > > >> >>
> > > >> >>
> > > >> >> "daniel_theracer" > wrote
in
> > > >> >> message ...
> > > >> >> > Hi ms folks !
> > > >> >> >
> > > >> >> > I'm a bit stressed, my users work with their efs certificates and
do
> > > >> >> > a
> > > >> >> > lot
> > > >> >> > encrypting.
> > > >> >> > I now discovered, that if i look to encryption details of a file,
> > > >> >> > there
> > > >> >> > is
> > > >> >> > no RA displayed.
> > > >> >> > But i configured two accounts as RA 's
> > > >> >> >
> > > >> >> > What can i do ?
> > > >> >> >
> > > >> >> > Domain Policy is defined, configured.
> > > >> >> > when i look the the local security policy of a domain computer i
> > > >> >> > cannot
> > > >> >> > see
> > > >> >> > anything
> > > >> >> > = "no policy defined"
> > > >> >> >
> > > >> >> > Pls. help !
> > > >> >> > thank you very much
> > > >> >> > Daniel
> > > >> >>
> > > >> >>
> > > >> >>
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >
>
>