Thanks Baltboy - for the link and the heads up that MS may be "losing" the well known 500.
Hiding the 500 makes sense but I've still got the 500 on the sp3 computer and am missing the 500 on the sp2 computer, which isn't as up to date w/ its security patches because I'm trying to get it backed up so I can reformat/reinstall and I'm afraid to sneeze around it. The sp3 should
be up to date w/ all its security patches. So should the win2k sp4 which also has a 500 - actually those that have 500's have some extra 500 accounts I'm trying to account for. [sorry] Recently w/ windows I feel like I'm in the Twilight Zone a lot.
I thought whether it was The Administrator or another administrator account acting as a recovery agent the steps were the same as far as generating a certificate and exporting the key. Can the key generated by the encrypting user be used by The Administrator in The Administrator's account as opposed to another administrator having to generate a 2nd key
to use in his/her account? Is that what I'm not getting?
So designating a recovery agent gives you 2 keys as well as two user pw's to access the encrypted files? But if you are confident you won't lose the encrypting user's exported PEK, you can skip setting up a designated recovery agent and use The Administrator account if the encrypting user loses his/her pw or sam gets corrupted? What I read may have been in error, but according to that source the PEK was based on the user's pw - that is the encrypting algorithm used the pw in its calculation. And the designated recovery agent uses a pw to generate the pcx file. So I thought the PEK's were somehow linked to the SIDs.
Encrypted folders can be shared - I can't remember where I have those notes. Maybe if I just add all my user accounts I won't have to worry about designated recovery agents. My intent is to enable me in any account to access any of my docs and keep everyone else out.
I also read that if you generate the 2nd key [or key set], anyone
who gets their hands on that key can access the encrypted folders - so apparently the keys aren't
linked to the pw. Also, the redundancy seems to add a big security risk.
I hoped doing the steps to backup up the key and set up the recovery agent and backup up that key would help me understand what I was reading, but I couldn't find the pcx file I generated when I went to import the "certificate". The instructions in the link you provided are different than the ones I had so I was going to try again - but now I think I'll see if I can just add my other accounts to the folder(s).
The article from the above link says
Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent.
That article links to another article which says
A default local recovery policy is automatically created when an administrator account logs on to the computer for the first time. When this process occurs, that administrator becomes the default recovery agent. In some situations, the first administrator to log on to Windows 2000 is not the local administrator account.
They seem to contradict each other. I thought maybe the 1st article meant a workgroup as compared to a domain, but domains aren't mentioned in that article. And the 2nd articles seems to say that being in a domain w/out a set recovery agent policy can prevent The Administrator being the default EFS recovery agent - not being in a workgroup. I'm not sure, but I think the scenario described in the 2nd article where the local administrator doesn't become the "default encrypting file system recovery agent" is when the computer is running a server os in a domain where recovery agent policy hasn't been set. So it doesn't seem to be about winxp or a computer in a workgroup.
Maybe the 1st article meant designated rather than default.