Announcement

Collapse
No announcement yet.

Recovery Policy contains invalid recovery certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Recovery Policy contains invalid recovery certificate

    We've got a laptop with WinXP Pro. It was joined to the domain 3 years ago (2003 domain), and it hasn't been connected since. It apparently still had the cached credentials for the IT dept. login that was used to set it up, namely the old password.

    Odd thing # 1: the user can still log in! If I recall correctly, 50 logins off the domain is the max a user can login off the domain before the cached credentials expire (50 is the max set my Microsoft I believe). He didn't have the correct user permissions, so we had him bring in the laptop to we could correct this.

    Odd thing # 2: when we connected it to the domain, it wouldn't accept any domain logins except for his.

    Odd thing # 3: It would accept the IT dept. login w/ the old password.

    No biggie, removed it from the domain, rebooted, re-added it back to the domain. All is well, it's back to normal, any domain login works, and with current password.

    So, we did our thing, all is well.


    THE PROBLEM: We're attempting to encrypt a folder. We get the same error regardless of what logon we use (domain admin, local admin, power users)

    Here's the error we get:

    Click image for larger version

Name:	error.JPG
Views:	1
Size:	17.3 KB
ID:	467639


    is our friend!

    http://www.microsoft.com/resources/d....mspx?mfr=true

    When encrypting a file, a message appears: "Recovery policy configured for this system contains invalid recovery certificate" or "ERROR_BAD_RECOVERY_POLICY."
    Cause: The Encrypting File System (EFS) recovery policy that is implemented on this computer contains one or more EFS recovery agent certificates that have expired. These certificates cannot be used.

    Solution: Either renew the existing certificates or generate new certificates for the EFS recovery agents and reapply the recovery agent policy with those certificates.

    See also: Requesting certificates or Renewing certificates
    ooooookkkkiieeee dokie!

    1. Open Certificates. (MMC add-in)

    2. In the console tree, under Personal, click Certificates.

    3. In the details pane, click the certificate you are renewing.

    4. On the Action menu, point to All Tasks, and then click Renew Certificate with Same Key to start the Certificate Renewal Wizard
    Error # 2:

    Click image for larger version

Name:	error2.JPG
Views:	1
Size:	22.7 KB
ID:	467640

    Yep, again, we get the same error regardless of what logon we use (domain admin, local admin, power users).

    Any of the 4 options under All Tasks (as per the quoted instructions above) give that same error.

    As far as we can tell, we're FUBAR'd, and will have to wipe the laptop tomorrow morning.


    Has anyone seen this before, or have any advice I can try?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Recovery Policy contains invalid recovery certificate

    You do have a CA to request the cert from, right? There's got to be a permissions issue somewhere...
    Sorry, I guess that's not much help.

    BTW - Computer account passwords, by default, expire after 30 days. That's why you needed to rejoin the domain.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Recovery Policy contains invalid recovery certificate

      Originally posted by JeremyW View Post
      You do have a CA to request the cert from, right? There's got to be a permissions issue somewhere...
      Where's the CA in XP Pro though? I know you can use EFS when not on a domain.

      BTW - Computer account passwords, by default, expire after 30 days. That's why you needed to rejoin the domain.
      That's not our default
      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Recovery Policy contains invalid recovery certificate

        Originally posted by Wired View Post
        I know you can use EFS when not on a domain.
        Right. I never heard of having to request certificate renewal for a stand alone. I thought everything was done automatically. (like automatically generating a certificate the first time you encrypt something)
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Recovery Policy contains invalid recovery certificate

          Yeah, definitely odd. Making an image of it now, then wiping the sucka clean and re-doing it w/ a fresh image, importing docs, etc.
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X