Having trouble Configuring EFS / Domain Account for Recovery Agent
Posted on 2008-10-29
Ladies and Gents,
I've recently tried to setup and Test EFS in test environement. I've got a couple questions that I've been unable to find answers to. I've seen a lot of links to aritcles that people have reccomended reading but I'm still missing the boat at this point. For my Test environment I've got two PCs XP sp3 and a Server Running 2003 R2 sp2. The server is a domain controller. Its got certificate services installed as an enterprise root CA. (second question about the best way to setup a CA later). I've got a domain controller cert installed on the DC, I've got computer certs installed on the PCs.
How do I create a recovery agent for the domain so that this one account and only this one account can recover data (I don't want to domain admin to be able to recover data, just the 1 recovery agent account) In group policy when I try to Add a Recovery Agent I get an error to the tune of "The selected user has no certificates suitable for Encrypted File System recovery adn cannot be added as a recovery Agent. Select another user."
The End goal is to create file shares on the server that can be made available offline and that are also encrypted with EFS, some shares will need to be accessed by all domain users, Other shares will need to access only by certain groups, and finally the profiles of users on thier desktops should also be encrypted. I want the domain wide recovery agent to be able to recovery these files in the event that we need to do a forced password reset or we lose the user's password, etc.
My Last questions is concerning the best more secure way to setup the CA structure. Should my DC be a enterprise Root CA, or should I create a Stand alone workgroup server to act as a root CA that can be turned off and put into a closet. And use that Root Ca to issue a Certificate to my DCs which can then issue EFS, Computer, User certificates and so forth.
Thanks for the Tips and info eveyone,