adding EFS recovery agents

[Andrew]

Has anyone had any luck or know how to add an EFS recovery agent on a
stand-alone machine. MS makes it sound easy, but doesn't go into detail
except for a domain model. If I try to add a recovery agent the wizard
prompts for an AD user or a cer file, but other users on the box don't have
this capacity in their certs.

Enterprise CAs can issue this type of cert, but I think only to domain
accounts. I would like to add accounts other than the built in admin as a
recovery agent but I am beginning to think it is not possible on a stand
alone machine.

Thanks for any help,

Andrew

[Eduard Koller]

Is your machine Win2k, or is it XP?

- On win2k, you already have a EFS recovery certificate for the
Administrator. You can export that certificate to a .PFX (including the
key), then to a .CER (with no key). Give the .PFX file to any user, and
after they install it, they will be able to decrypt the files.
- On XP, you can use the command line tool cipher (with /R) to generate an
EFS recovery agent key and certificate. Then, you hand the PFX to the user
to install it, and add the contents of the .CER to the EFS recovery policy.

Please let me know if this helps.

Thanks,

Eddy Koller
Public Key Security QA Team
Microsoft Corporation

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples, if any, are subject to the terms specified
at http://www.microsoft.com/info/cpyright.htm

"Andrew" <f...@bar.com> wrote in message news:uX52NnLCCHA.1880@tkmsftngp04...