RE: Recovery agent for EFS, how can i get it done PLEASE HELP


Savy95 you helped me alot man, now i fixed the problem and there is just a
little problem im asking about it just to know is it a bug or not, admin can
request cert normally now but my account which is member of both local and
enterprise admins still cant request cert everytime i request i get this
"---------------------------
Certificate Request Wizard
---------------------------
The certificate cannot be installed because of one or more of the following
conditions:
- There is a problem with your cryptographic hardware.
- The cryptographic service provider (CSP) that created the request is
malfunctioning.
The error was: Keyset does not exist
---------------------------
OK
---------------------------" the other accounts can request certs normally,
any ideas ? thanks again man for help
"savvy95" wrote:

> On 2000, this can be accomplished:
> A. Login as Local Administrator (not Domain)
> B. Run mmc
> C. Add the snap-in certificates
> D. Go to personal; find cert for EFS
> if not there, then close mmc, encrypt a file then decrypt
> file, then repeat steps A-D)
> E. Right click cert and export to floppy. DON'T Export key
> F. Login with user credentials; run mmc; add snap-in certificates; go
> to Personal
> G. Right click right pane(in the white area or go to actions) and
> choose import certificate
>
> On 2003
> A. Administrators automatically have decryption rights or follow above
> steps
>
> You can also check out:
> http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp
>
> "XP_2600" wrote:
>
> > Guys i need your help, i have a windows 2003 server entrprise (upgraded from
> > Windows 2000 advanced server sometime ago) i noticed that an employee
> > encrypted some files and that wasnt allowed ( i didnt moved the allow
> > encrypting files from the GP :( ) anyway i logged with the administrator
> > which suppose to be able to recover the encypted files but its didnt do it,
> > anyway i decrypt the files using the user account, but now i wanna add a
> > reliable recovery agent, everytime i choose an account to be a recover agent
> > (an account from domain administrators) i get this error "Add Recovery Agent
> > ---------------------------
> > The selected user has no certificates suitable for Encrypted File System
> > Recovery and cannot be added as a recovery agent.
> > Select another user.
> > ---------------------------
> > OK
> > ---------------------------"
> > i tried to install CA and then i tried to request certificate but i get this
> > error "---------------------------
> > Certificate Request Wizard
> > ---------------------------
> > The certificate cannot be installed because of one or more of the following
> > conditions:
> > - There is a problem with your cryptographic hardware.
> > - The cryptographic service provider (CSP) that created the request is
> > malfunctioning.
> > The error was: Keyset does not exist
> > ---------------------------
> > OK
> > ---------------------------"
> >
> > even if i see in the CA that the certificate has been issued and there is no
> > faild certificates, i tried to skip this thing too and export the user
> > certificate and then use it as recovery agent instead of choosing user name
> > its success but the user who suppose to be recovery agent couldnt recover
> > files too, i think he could recover folders only or at least thats whats
> > happend with me
> >
> > When i tried to choose create recovery agent i got this error:
> > "---------------------------
> > Public Key Policies
> > ---------------------------
> > Windows cannot create a data recovery agent. Keyset does not exist
> > ---------------------------
> > OK
> > ---------------------------"
> > I know its complex and long post but please try to help me, thanks so much
> >
> >
> >
.

Relevant Pages

  • RE: Recovery agent for EFS, how can i get it done PLEASE HELP
    ... How are you requesting the Cert? ... > enterprise admins still cant request cert everytime i request i get this ... > The certificate cannot be installed because of one or more of the following ... >>> Recovery and cannot be added as a recovery agent. ...
    (microsoft.public.windows.server.active_directory)
  • EFS recovery agent cert not published in AD
    ... and can request the required certificates with no problem. ... EFS works fine, as does the default Recovery Agent (the Administrator ... the EFSRecovery certificate template. ...
    (microsoft.public.win2000.security)
  • RE: Recovery agent for EFS, how can i get it done PLEASE HELP
    ... Which server will respond to your request? ... but when i try to add it as a recovery agent i get ... >> The selected user has no certificates suitable for Encrypted File System ... >> i tried to install CA and then i tried to request certificate but i get this ...
    (microsoft.public.windows.server.active_directory)
  • RE: Recovery agent for EFS, how can i get it done PLEASE HELP
    ... then i go to personal/certificates and i right click and i choose ... Certificate Request Wizard ... >> enterprise admins still cant request cert everytime i request i get this ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to add a domain user as a Data Recovery Agent
    ... Policy settings or contacting a domain controller. ... Recovery Agent certificate and when you examined the certificate are the ...
    (microsoft.public.windows.server.security)