Recovery policy contains invalid recovery cert

Discussion in 'Security Software' started by Wayne, Jul 28, 2006.

  1. Wayne

    Wayne Guest

    I am trying to encrypt files on a Windows XP desktop in my Windows 2003
    domain. I get an error "Recovery policy configured for this system contains
    invalid recovery certificate."

    I have checked the domain policy and the Administrator's certificate has
    expired. In additon the original (first) domain controller was decomissioned
    a while ago. As such the certificate can not be renewed. The new (and only)
    enterprise CA is on the DC that replaced the original one.

    I have went into the default domain policy and created a new recovery agent.
    I have also configured it to automatically renew the certificates. However
    I still get this error. I have run gpupdate /force on both the DC and the
    workstation. I have also rebooted the workstation and got a new EFS cert for
    the user from the CA.

    I still get that error message. How do I fix this.
     
    Wayne, Jul 28, 2006
    #1
    1. Advertisements

  2. Did you import the new valid certificate into the Group Policy and remove
    the old one from Group Policy ?? Check the valid dates on the one that is
    current shown in your GP. Also check your other Group Policies to see if you
    have more than one configured to use the old certificate. I don't believe
    RSOP will show the applying GPO for that particular setting.

    Steve
     
    Steven L Umbach, Jul 28, 2006
    #2
    1. Advertisements

  3. Wayne

    Wayne Guest

    Removing the old one and creating a new recovery agent in policy worked. For
    a day or two. Now I can't encrypt (on a different machine in the domain)
    with the original user or a different one.

    I get the same error message
     
    Wayne, Aug 3, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.