Change the EFS account in GPO "Public Key policy/Encrypting File system"

Chong 866 Reputation points
2023-05-02T04:55:15.8166667+00:00

Hi,

I am using EFS in my domain for user file encryption. The default domain policy configured the "Public Key policy/Encrypting File system" and using account "Administrator" for the recovery certificate which is generated by the CA server.

Now I need to change the EFS use another account instead of "Administrator" in the GPO. What is the step and any impact on this?

Do the file still can decrypt after I changed to another account?

MS Paint _ Microsoft Paint Online (1)

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,388 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,496 Reputation points
    2023-05-02T14:19:18.8266667+00:00

    Hello,

    Yo ucan follow the next steps:

    1.Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)

    2.Right click on the domain and select Properties

    3.Select 'Group Policy' tab

    4.Select the 'Default Domain Policy' and click Edit

    5.Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents

    6.Right click 'Encrypted Data Recovery Agents' and select Add

    7.Click Next to the 'Add Recovery Agent Wizard'

    8.Click 'Browse Directory'. Locate the user and click OK

    9.Click Next to the agent dialog select

    10.Click Finish to the confirmation

    11.Close the Group Policy Editor

    Then refresh the machine policy:

    C:&gt; <b>secedit /refreshpolicy machine_policy</b>

    The agent will only be able to recover files encrypted after the user was made an agent. If an encrypted files is unencrypted and the encrypted or even just opened the new agent WILL be able to recover it as the file will "refresh" its recovery certificates (if the recovery policy has changed).

    The local admin on a standalone PC or the first logon admin on a DC is the recovery agent by default. However this can be modified. You can remove the default recovery agent and assign any one as the recovery agent. In other words, admin can not read other person's encrypted file unless he is the recovery agent. The purpose of assigning the first logon admin as the recovery agent is to make life easier for most of our customer. The corporate user is recommended to modify the recovery agent.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.