Configuring Encryption on Windows XP in a Windows 2000 Domain Environment
Posted on 2006-07-21
There is a problem one of our clients are experiencing and I want to see if I can help them out. To achieve this, I need to set up file encryption on one of our computers in the domain. I don't have any experience in this area for our local network.
We are running a Windows 2000 domain with Windows XP clients. I first tried right clicking the file >> properties >> Encrypt contents to secure data. This gives me the following error:
"Recovery policy configured for this system contains invalid recovery certificate".
After doing some research, I found that I need to have a recovery agent configured. In the local policies there is one certificate under "Public Key Policies/Encrypting File System which is Administrator and in the "Intended Purposes" field it says "File Recovery". I assume this is a local file recovery certificate and since I am in a domain, I must import a Domain level certificate. I hope I am on the right track to this point.
Here is where I am stuck in the fact that I want to be very cautious about what I do. Obviously, I do not want to do anything harm anything on our network. What do I need to do from here? Do I export a domain certificate and import it locally? I also tried "Browse Directory", selected Enterprise Admin, Domain Admin and my user object (with god privilages) and received this error message - "The selected user has no certificates suitable for Encryption File System Recovery and cannot be added as a recovery agent."
In doing some testing in various areas such a trying to create a certificate, I received errors such as "...there is no certificate authority...". I bypassed those and went on to other testing but thought that may be useful to note that.
My overall goal is simply to set up 1 domain client system with encryption.
Thanks in advance for the help!!!!