Giganews Newsgroups
Subject: EFS/DRA
Posted by:  Steve (Ste…@discussions.microsoft.com)
Date: Mon, 7 Jul 2008


I could really use some help with this EFS/DRA stuff. One thing at a time I

I have successfully published a DRA via Group Policy (Win2k3/AD). I created
an encrypted file on an XP2 machine. When I click details of the encrypted
file, I can see the DRA. Associated with the user is a Cert Thumbprint.

I am logged onto a DC with the DRA user and when I open the Certificates
snap-in for mmc, the under Personal --> Certificates, the cert is there (with
the same Thumbprint). Likewise the same cert is listed under Active Directory
User Object --> Certificates. However when I try to access the files on the
XP machine from the DC (file share) it says access is denied. I am trying to
test the data recovery agent before implementing EFS on my network. Did I
miss a step?

Possibly related or unrelated, I am also havinga  problem with DC issued
certs vs. self-signed certs. I was testing with QA and found that I needed to
add his self-signed cert to the encrypted file so that he could view it. He
has been autoenrolled for a efs cert (duplicate of Basic EFS) but it doesn't
appear to be working. What did I miss here? Also, I have noticed that many
users have been autoenrolled for the efs cert multiple times (viewing the
Certification Authority --> Issued Certificates).

Any and all help would be greatly appreciated.
-- Steve