Adding a Data Recovery Agent to Group Policy in Windows

Barry (aka Fishbreakfast) came to me with an issue last week when I exclaimed:

I’m bored!

First off, don’t say you’re bored in the vicinity of the people who either a) are your boss or b) have more stuff to do than you do because you invariably come away with more stuff on your plate.

Anyway, the issue he had was that he had used Windows’ built-in Encrypting File System function to encrypt a few sensitive files. He got a new laptop, but didn’t either decrypt the files before transferring to the new laptop.

I can’t really blame him for that, though. Our assumption was that a Data Recovery Agent (RA) was enabled on our domain. Upon further investigation, we discovered that an RA, in fact, was *not* setup on the domain.

So, because I was bored, and because it is an interesting issue to look up, I hacked away at the problem until I could say definitively that Barry’s files could be decrypted.  Or the files were toast.

We have an Enterprise Certificate Authority installed into our Domain, so EFS/Recovery certificates are very easy to come by. What isn’t quite so obvious is how to include the RA certificate into the Group Policy that applies to particular domain computers. (You can read more about the whole process here.)

Okay, so the Group Policy setting that effects EFS Data Recovery can be found here: Computer Configuration -> Windows Settings -> Public Key Policies -> Encrypting File System. Right-click on that “folder” and choose Create Data Recovery Agent. This uses the automatic enrollment methods to request an EFS Recovery Certificate, and then apply it to the Personal Certificate store on the local computer, as well as upload it into the definition of the Group Policy Object.

Easy peasy, eh? A couple of caveats.

The only place the private key is stored (the private key being the part of the PKI cert that is required to actually recover any data) is on the computer where you requested the certificate. So be sure to export the newly created EFS Recovery certificate (including the private key) to a safe and secure backup location so that you can perform data recovery from somewhere else.

Also, the RA certificate is useful only if the group policy is applied *before* you encrypt any files. It’s worth noting, too that this only applies to Active Directory member computers. The process for setting up an RA is quite different for standalone machines.

So, back to Barry’s files? Given the above, they are definitely toast. Unless he’s got an army of PlayStation 3 consoles he could use to brute-force decrypt the files.

We now return you to your regularly-scheduled, non-geeky programming.


22 Responses to “Adding a Data Recovery Agent to Group Policy in Windows”

  1. 1 Daan Massa October 22, 2012 at 6:17 am

    Nicely written : clear, to the point and funny! Thx:)

  2. 2 hemorrhoids pain relief April 24, 2013 at 13:33 pm

    If you are going for finest contents like I do, just go to
    see this website every day since it gives feature contents, thanks

  3. 3 Juliet May 5, 2013 at 12:36 pm

    Generally I don’t read article on blogs, but I wish to say that this write-up very compelled me to try and do it! Your writing taste has been amazed me. Thank you, quite nice article.

  4. 4 vigrx plus for ed May 8, 2013 at 18:58 pm

    Wow, superb weblog format! How long have you ever been running a blog
    for? you make running a blog glance easy. The
    overall look of your website is excellent, as smartly as the content material!

  5. 5 Wilton May 9, 2013 at 4:15 am

    I got this web site from my pal who informed me on the topic of this
    site and at the moment this time I am visiting this site and reading very informative articles here.

  6. 6 can i lose weight with hypothyroidism May 18, 2013 at 5:06 am

    Great delivery. Sound arguments. Keep up the good spirit.

  7. 7 May 23, 2013 at 16:51 pm

    I do believe all the concepts you have presented for your post.
    They’re really convincing and can definitely work. Nonetheless, the posts are very short for newbies. May just you please extend them a little from next time? Thank you for the post.

  8. 8 Genf20 Plus June 1, 2013 at 0:30 am

    This paragraph will help the internet viewers for
    building up new website or even a blog from start to end.

  9. 9 provillus June 24, 2013 at 0:26 am

    Why people still make use of to read news papers when in this technological world everything is available on net?

  10. 10 Porter July 1, 2013 at 20:49 pm

    After going over a handful of the articles on your web site, I seriously like your way of blogging.
    I saved it to my bookmark site list and will be checking back soon.
    Take a look at my web site as well and let me know how you feel.

  11. 11 Is Provillus Good July 17, 2013 at 7:35 am

    I truly love your site.. Pleasant colors & theme.
    Did you build this site yourself? Please reply back as I’m attempting to create my own website and want to learn where you got this from or exactly what the theme is called. Appreciate it!

  12. 12 depression July 25, 2013 at 16:52 pm

    In the event that objects aren’t utilized usually you can drive it rear to once every single 2 or 3 months, but always tend to be doing it frequently enough that the scale develop up isn’t
    however visable after your clean the product. Provided you can observe
    the processed crusty otherwise film build up stuck
    your teas pot or perhaps your own coffee maker you will want to
    repeat the approach the few times to make certain that most of these build up are
    thoroughly removed.

  13. 13 tree 3d model August 17, 2013 at 19:25 pm

    Hi there friends, how is all, and what you wish for
    to say regarding this piece of writing, in my view its really remarkable in favor of me.

  14. 14 gratitude vintage clothing September 4, 2013 at 19:36 pm

    Excellent, what a web site it is! This web site provides valuable facts to us,
    keep it up.

  15. 15 Leading Edge Health Vigrx Plus July 19, 2014 at 11:33 am

    I am genuinely thankful to the holder of this
    website who has shared this fantastic article at at this time.

  16. 16 Windows 8 Loader August 2, 2014 at 1:27 am

    I’m now not sure the place you’re getting your information, however great topic.

    I needs to spend a while learning more or understanding more.
    Thanks for great info I was looking for this information for my mission.

  17. 17 windows 7 activator by daz August 23, 2014 at 4:57 am

    I am no longer positive the place you are getting your information, however great
    topic. I must spend some time studying more or understanding more.
    Thanks for fantastic info I was searching for this information for
    my mission.

  18. 18 boat plans to build midgrade September 16, 2014 at 11:35 am

    I can only imagine what it would feel like to ride this remarkable design.
    Then have the children sort them according to size and color.
    You should always choose a familiar and reputable insurance company
    which specifically caters for boat insurance.

  19. 19 male enhancement pills uk best price September 16, 2014 at 11:55 am

    Another advantage of ordering the Vig – RX plus medication online is that one can also have a chat with the various doctors who are available online.
    And be just as firm with your touch as she finds pleasurable.
    The verified internet practice site (VIPPS) program helps in identifying those online sites that are appropriately
    licensed and are legitimately operating via the internet.

  20. 20 psn plus gratuit December 15, 2014 at 9:08 am

    Thanks for your personal marvelous posting! I really enjoyed reading it, you
    will be a great author.I will make certain to bookmark your blog and may come back at
    some point. I want to encourage yourself to continue your great
    posts, have a nice evening!

  1. 1 Add Data Recovery Agent Windows 7 Trackback on October 25, 2014 at 21:51 pm
  2. 2 Setup Efs Data Recovery Agent Trackback on October 27, 2014 at 16:18 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Change a Lightbulb, change the world!

It only takes 18 seconds to change a bulb. If every American home replaced just one light bulb with an energy-efficient bulb, together we could save enough energy to light more than 2.6 million homes for a year. Find out how you can save energy and cash by making the switch to energy-efficient light bulbs... and check out how many have already sold in your area.

CFL lightbulb

Coconut Trees

Coral Reefs

March 2007
« Feb   Apr »

%d bloggers like this: