EFS Data Recovery Agent

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-06-21
I am trying to setup EFS.  I need to create a data recovery agent in group policy.  When I try to create a data recovery agent I receive the following error:

Windows cannot create a data recovery agent.  The requested property value is empty.
Question by:RSUMarisa
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 38

Expert Comment

by:Rich Rumble
ID: 35082395
Sounds like you don't have a Certificate authority or are not part of the right group... As a consultant we try to get people to not use the EFS system as it suffers from some security flaws, easy recovery in most cases, but requires a very large laundry list of best practices to secure properly. In addition to that it is not an easy system to use. We recommend TrueCrypt and or password protected archives like 7zip or winzip.

Author Comment

ID: 35099963
Rich, thank you for your response.  

We do have a certificate authority and I am a member of the Domain Admins group so I should have the appropriate permissions.  

We did look into TrueCrypt and it seemed like a very user friendly product.  If we went with TrueCrypt how would we recover the files if the user was no longer employed here?  
LVL 38

Accepted Solution

Rich Rumble earned 1500 total points
ID: 35101735
The often cited drawback to TC is that once mounted, the password/keyfile/token can be changed by the person using it.Also once mounted (password is given, keyfile is used or token is used) the volume is plain-text to anyone who is able to browse to that "drive". So if you don't make NTFS permissions in the containing folder or the "drives" NTFS permissions (make sure you format the container w/NTFS) then any person who can access the C$ will likely be able to access whatever drive-letter you assign to the volume.
Under the correct circumstances however this is an asset. I as the admin can control when the drive is open, and using NTFS permissions I can control who has access to it. When a user needs access, I open it up, when they don't I close it down. Documents can still be copied out, or the contents of the documents can be pasted into other documents, but this is true of EFS files that the user has access to. If your EFS file have to be portable, like on the users laptop then you would need to know the password, keyfiles or the tokens used to encrypt the volume as well as it's location. Physical tokens are typically easy to recover from term'd employee's but there is no hope of recovery in TC if any of those are lost or not backed up in some way, which for us is what we want, we make sure data in the container is backed up regularly, so even if someone locked us out or stole the data, we have our backups. EFS can be recovered by you and or badguys depending on the circumstances. If a LT is stolen the EFS data is theirs, plain and simple. If the HD is fully TC encrypted, or uses hardware encryption like the seagate momentus FDE drives.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 64

Expert Comment

ID: 35114892
Agree with richrumble, EFS has one key limitation which is if there is mapped network drive configured as EFS, it is actually in plain. See this
@ http://answers.microsoft.com/en-us/windows/forum/windows_7-security/why-is-a-shared-efs-file-transmitted-in-plain-text/3ced92ff-d7e4-428c-811f-7032a9dcdd79

but pertaining the EFS issue, suspecting that is either the template is not available or not CA reachable (try browsing to your CA e.g. http://issuingca/certsrv) @ http://www.teach-it.no/oppgaver/To%20create%20a%20recovery%20agent%20account.htm

LVL 38

Expert Comment

by:Rich Rumble
ID: 35121647
IT was TrueCrypt I was referring to, EFS may transmit in the clear when copying, or it used to in XP and prior unless webdav is used, there are a few other caveats to EFS that make it a poor choice in most situations. If files need to be portable for instance EFS is not a good choice over Zip/7zip password protected archives, or TrueCrypt like programs. I'm off topic now, sorry... I'm not sure I've seen the error before as I avoid EFS as much as possible and recommend others do the same.

Author Closing Comment

ID: 35351783
Thanks for the info richrumble.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question