Hello everyone, I'm attempting to set up a means to encrypt data on machines within our domain; I've installed the Certificate Services on our DCs and have configured the first DC as the root certificate server and have the two other DCs set up to issue certificates to the client machines. I can see that the lower CAs have requested certificates from the root CA and as a client I can request a CA based on the default templates.
Originally I couldn't encrypt files on a client machine due to an expired Recovery Agent certificate, but I have sorted that out by creating two new recovery agents (two existing admin accounts) and imported those certificates into the Default Domain Policy GPOs for:
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificates
After that I am able to encrypt files on the client machines. Everything is great except when it comes time to decrypt files; I tried to take a file that was encrypted on a client machine, move it to another, and decrypt it as a recovery agent but no luck.
After a bunch of troubleshooting (see this open question: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26897211.html
I believe I've traced the problem back to that GPO not applying on the client machines. There is no recovery agent defined in their computer policies when the files are encrypted so the files can only be decrypted with the user's original key (unique to that user account on that particular computer).
I'm trying to sort out why that group policy is not applying, but in the meantime I thought I'd ask if I'm missing something else or if I'm even going about this the right way. Everything else I do with group policy works fine except for this, so I'm beginning to wonder if I'm going about it wrong to begin with.
Thanks in advance!