Click here to get back home

How to add a domain user as a Data Recovery Agent
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to add a domain user as a Data Recovery Agent dln 06-30-2006
Posted by dln on June 30, 2006, 1:48 pm
Please log in for more thread options
 Hello All,

I just want to start by stating that I know very little about how to
properly implement a PKI - I've been trying to pick things up as I go, but I
know that I have a lot more to learn on the topic. Please excuse any
questions or statements that appear naive, or unknowledgeable.

I'm trying to figure out how to add a non-privileged, domain user account as
a Data Recovery agent. I've got a Windows 2003 native mode domain and a
W2K3 based Root CA installed and the CA's root certificate has been added to
the domain's "Trusted Root Certification Authorities". For the two user
accounts that I want to act as data recovery agents, I've granted them read
and enroll permissions on the EFSRecovery template and then made sure that
the EFS Recovery Agent certificate template is published by my Root CA. I
can enroll both users for an EFS Recovery Agent certificate. I don't know
if everything I've done up to this point is correct, but since I got the
certificate, I've proceeded under the assumption that it is.

I then go to the Default Domain Policy for my domain, and under Computer
Configuration->Windows Settings->Public Key Policies->Encrypting File
System, I add the users as data recovery agents. I can "Create a data
recovery agent" for the Domain Administrator account and I've tested the
domain admin in regards to recovering encrypted files - this much works.
However, I can't seem to get my non-admin users to act as recovery agents.
This is what I've tried so far:

1. Exported the users' enrolled certificates to a file and then used the
GPMC to import them into the Default Domain Policy
2. Used the certificate manager MMC snap-in to copy the certificate from the
user's local store to the user's AD account and then used the GPMC to browse
the directory for the user.
3. Copied the EFSRecovery template to a new template, granted the same users
the read, enroll, and autoenroll permissions; issued the template on the CA;
ensured the users received their certificate; and then enrolled them as in
step 2.
4. Delegated authority to the GPO to the recovery agent users and then used
GPMC to enroll the users as I did the Domain Admin.

In all cases, I was able to add the appropriate users as recovery agents.
However, all newly encrypted files never have the non-admin users listed as
Data Recovery Agents, only the Domain Administrator account is ever listed.
I can even create another account that is a domain admin and add them to the
GPO and that admin account will also show up as a Data Recovery Agent for
newly encrypted files. This problem seems to be limited to non-admin
accounts.

What am I doing wrong? Do I have the root CA configured improperly or is
there some trick about adding data recovery agents that I've missed? If
anybody could shed some light on the problem, I would greatly appreciate it.

Thanks,

DLN



Posted by ac on June 30, 2006, 3:29 pm
Please log in for more thread options
 I face almost similar problem. I manage to add both domain admin and
non-admin user (both have valid file recovery certificate) as recovery agent
in GPO. However, both of them are not listed as data recovery agent in the
advanced properties of encrypted file on workstation where the GPO is applied.

Hope there are some expert out there can help to advice what could be the
causes and the solution. Thanks in advance.

--
ac



Posted by Steven L Umbach on June 30, 2006, 11:28 pm
Please log in for more thread options
Did you run rsop.msc on the domain computer to see what is shown for RA
certificates and if certificates are shown are the dates valid, does file
recovery show in the field for enhanced key usage in the details page, and
in the certification path page does it show that this certificate is
K? --- Steve


>I face almost similar problem. I manage to add both domain admin and
> non-admin user (both have valid file recovery certificate) as recovery
> agent
> in GPO. However, both of them are not listed as data recovery agent in the
> advanced properties of encrypted file on workstation where the GPO is
> applied.
>
> Hope there are some expert out there can help to advice what could be the
> causes and the solution. Thanks in advance.
>
> --
> ac
>
>



Posted by ac on July 1, 2006, 8:39 am
Please log in for more thread options
Yes, I do run rsop.msc on the computer. The certificates's date is valid, the
usage is shown as File Recovery and certificate path show it's OK.
--
ac


"Steven L Umbach" wrote:

> Did you run rsop.msc on the domain computer to see what is shown for RA
> certificates and if certificates are shown are the dates valid, does file
> recovery show in the field for enhanced key usage in the details page, and
> in the certification path page does it show that this certificate is
> K? --- Steve
>
>
> >I face almost similar problem. I manage to add both domain admin and
> > non-admin user (both have valid file recovery certificate) as recovery
> > agent
> > in GPO. However, both of them are not listed as data recovery agent in the
> > advanced properties of encrypted file on workstation where the GPO is
> > applied.
> >
> > Hope there are some expert out there can help to advice what could be the
> > causes and the solution. Thanks in advance.
> >
> > --
> > ac
> >
> >
>
>
>

Posted by Steven L Umbach on July 1, 2006, 12:51 pm
Please log in for more thread options
Is this happening to a particular domain computer or numerous ones? Where
are the computer accounts located - in the default computers container or in
an Organizational Unit you created, and where are you configuring the Group
Policy settings for RA - at the domain level or in a GPO linked to the
container containing the computer accounts. Is RA setting configured in more
than one Group Policy or do the other ones show "no encrypting file system
policies defined"? What might be worth trying as a test is to create a new
OU that is a child OU to the domain OU, create a new Group Policy and link
it to that OU , configure the RA policy to your liking, and then configure
one or a couple other computer configuration settings. Then move a couple
domain computers into that OU and reboot them. Check to see if the computer
configuration settings and RA for that Group Policy are applying or
t. --- Steve



> Yes, I do run rsop.msc on the computer. The certificates's date is valid,
> the
> usage is shown as File Recovery and certificate path show it's OK.
> --
> ac
>
>
> "Steven L Umbach" wrote:
>
>> Did you run rsop.msc on the domain computer to see what is shown for RA
>> certificates and if certificates are shown are the dates valid, does file
>> recovery show in the field for enhanced key usage in the details page,
>> and
>> in the certification path page does it show that this certificate is
>> K? --- Steve
>>
>>
>> >I face almost similar problem. I manage to add both domain admin and
>> > non-admin user (both have valid file recovery certificate) as recovery
>> > agent
>> > in GPO. However, both of them are not listed as data recovery agent in
>> > the
>> > advanced properties of encrypted file on workstation where the GPO is
>> > applied.
>> >
>> > Hope there are some expert out there can help to advice what could be
>> > the
>> > causes and the solution. Thanks in advance.
>> >
>> > --
>> > ac
>> >
>> >
>>
>>
>>



Similar ThreadsPosted
Data Recovery Agent exspired in Windows 2003 AD May 17, 2006, 7:45 am
Problems setting up the Recovery Agent December 19, 2006, 1:26 pm
Unable to find Key Recovery Agent template!!! July 8, 2005, 11:28 am
NT4 user account recovery June 3, 2005, 6:29 am
Certificate recovery on user profile October 25, 2006, 9:34 am
Disaster Recovery for Root Domain Servers October 10, 2006, 1:21 pm
Allowing a Domain User Admin Rights to a Couple of Domain Servers June 29, 2005, 8:13 pm
domain access control for local user of domain computer? April 3, 2008, 5:14 pm
CA Services enrollment agent and templates January 10, 2008, 11:02 am
Adding a User from One Domain to a Group in Another Domain August 18, 2006, 12:12 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap