EFS Recovery Agent not working

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about EFS Recovery Agent not working was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, encryption, encrypting-file-system, , .

I know EFS data recovery has been discussed so many times in the forums but I could not find anything useful in the other threads as I believe I have followed all the required steps but still cannot get EFS recovery agent to work.

I have a Client1 (Win 8.1) and a DC1 (Windows Server 2012 R2) under beta.com domain.

DC1 is a CA server as well as a domain controller.
1.I logged into DC1 as beta.comAdministrator which is the Domain Administrator account.

2.I duplicated the EFS Recovery Agent template on the DC1 and published it into Active Directory.

3.Then I edited the Default Domain Policy GPO and under Computer SettingsPoliciesWindows SettingsSecurity SettingsPublic Key Policies I right clicked Encrypting File System and selected Create a Data Recovery Agent and a new file recovery certificate was generated for the Administrator account.

4.I exported the newly-created Recovery Agent certificate and then logged into Client1 as beta.comAdministrator and imported it.

5.I then logged off from Client1 and logged back in using a different account beta.comjohns and encrypted a folder (with a text file inside) using EFS. (The folder address on local disk is C:Reports)

6.Then I logged back into Client1 again using beta.comAdministrator but I am unable to open the file inside the folder and I get an Access is denied message.

It is very strange to get an “Access is denied” message because on the text file when I right click and click Properties -> Advanced -> Details, under the Recovery Certificates, the Administrator account’s certificate is listed and its thumbprint corresponds to the same recovery certificate which I created in step 3. But I am still unable to access the file.

Do you have any idea why? Am I missing something?

Thanks in advance.

We have had issues with encrypting files on a fileshare where we would lose access to the files after a reboot. Rebooting clears the local certificate cache on the server.

Apparently we solved this by trusting the server computer for delegation. This is done in Active Directory, under the server computer’s object – there is a pane called “Delegation”. By default all computers are not trusted for delegation, but by setting “Trust this computer for delegation to any service (Kerberos only)” we were able to access encrypted files across our filshare even after a reboot.

Leave a Reply

Your email address will not be published.