Re: Encrypted Data Recovery Agents

Giganews Newsgroups
Subject: Re: Encrypted Data Recovery Agents
Posted by:  Steven L Umbach (
Date: Fri, 25 Aug 2006

Do you have a Certificate Authority on your network?  If you do you can
request a new one from it while logged on as a domain level administrator.
Otherwise you can use an XP Pro computer and use cipher to create a RA. Then
you can import the .cer file created into the Group Policy where you have
the EFS RA configured. The .cer file is not sensitive but the .pfx file is
as it contains the private key used for decryption and you need to provide a
password for it. You want to keep the RA .pfx file on a secure computer or
copy it to external media and keep in a couple safe places. Even if you
leave it on a secure computer keep a couple of copies in safe places and do
NOT forget the password. The article below explains what you need to know
for XP Pro but in your case you want to import the RA certificate into the
domain level Group Policy that is configured to use it which may be Domain
Security Policy.


"Bob A" <Bo…> wrote in message
> Good Day. I have a Win2K AD domain controller with an expired
> Administrator
> certificate under the Domain Security Policy Encrypted Data Recovery
> Agents.
> I want to encrypt some files, but can't with an expired recovery agent
> certificate. How do I renew this certificate? Is there a "How to:" article
> with the step-by-step procedures? Google serch and technet search didn't
> yeild much.
> Thanks in advance,
> - Bob


In response to

Encrypted Data Recovery Agents posted by Bob A on Fri, 25 Aug 2006