EFS recovery agent

Hello Geeks,
In windows 2012R2 CA , I duplicated recovery efs agent template , then in security tab added my agent and grant enroll and autoenroll,
in properties of CA server , added the recovery agent,
but in gpmc , when I want to add my agent to recovery agent , it shows me that no certificate available!!!!!!
please someone help me??
thanks in advance

I think you are confusing Key Recovery and Data Recovery agents:
In the properties of the CA in certsrv.msc you add a KRA (you change a registry key at the CA after you read KRA's certificates from an object on config. container). This will allow storing users' private keys in the CA DB - it can be used as an alternative
to DRAs but it is unrelated to the DRAs in the GPO.
In order to add the DRAs to a GPO their certificates need to be published the agent users' objects in AD (option Publish certificate to AD needs to be selected in the template) or you need to have the certificates as files. I would prefer the latter not
to complicate things now. So if you have issued proper EFS Recovery certificates
export their certificates from the CA DB (Issued Certificates) or from those agents' personal stores as CRT files and import them to the GPO.
But make sure that these are really EFS Data Recovery certificates and not Key Recovery certificates, otherwise data recovery will not work. The extended key usage should include File Recovery.
Elke

Similar Messages

  • EFS Recovery Agent not working on Windows 8.1

    I know EFS data recovery has been discussed so many times in the forums but I could not find anything useful in the other threads as I believe I have followed all the required steps but still cannot get EFS recovery agent to work.
    I have a Client1 (Win 8.1) and a DC1 (Windows Server 2012 R2) under beta.com domain.
    DC1 is a CA server as well as a domain controller.
    I logged into DC1 as beta.com\Administrator
    which is the Domain Administrator account.
    I duplicated the EFS Recovery Agent template on the
    DC1 and published it into Active Directory.
    Then I edited the Default Domain Policy GPO and under
    Computer Settings\Policies\Windows Settings\Security Settings\Public Key Policies
    I right clicked Encrypting File System and selected Create a Data Recovery Agent
    and a new file recovery certificate was generated for the Administrator account.
    I exported the newly-created Recovery Agent certificate and then logged into
    Client1 as beta.com\Administrator and imported
    it.
    I then logged off from Client1 and logged back in using a different account beta.com\johns
    and encrypted a folder (with a text file inside) using EFS. (The folder address on local disk is
    C:\Reports)
    Then I logged back into Client1 again using beta.com\Administrator
    but I am unable to open the file inside the folder and I get an
    Access is denied message.
    It is very strange to get an "Access is denied" message because on the text file when I right click and click Properties -> Advanced -> Details, under the Recovery Certificates, the Administrator account's certificate is listed
    and its thumbprint corresponds to the same recovery certificate which I created in step 3. But I am still unable to access the file.
    Do you have any idea why? Am I missing something?
    Thanks in advance.
    MCT, MCSA/MCSE Security
    http://esitech.spaces.live.com/

    Hi
    The Client1 user needs to enrol via GPO to get the recovery certificate normally via automatic enrolment
    Check the Personal Certificate store for Client1
    I think the policy needs to be applied before you encrypt any data
    To manually recover
    Did you export the Private key when you did the export ?
    Did you export to a .cer file

  • Using Bitlocker Data Recovery Agent (DRA) on Surface Pro 3

    We currently have the Data Recovery Agent (DRA) configured in our Bitlocker Policy for our Windows 7 Systems, and it works fine. In situations where the Recovery Key for the computer object was not backed up to AD correctly for whatever reason or the computer
    object was deleted, our HelpDesk can connect the encrypted drive to another system, and then use the certificate for the DRA to unlock the drive.
    I'm wondering if the BitLocker DRA Certificate unlock method will work for Surface Pro 3 devices, in the case that that their computer object and normal BitLocker recovery key is deleted or missing in AD for whatever reason. Seeing as how our helpdesk can't
    easily remove the internal HD from a Surface Pro 3 (I think only MS can do this?), I'm wondering if this BitLocker recovery option is still an option for Surface Pro 3's and if it is not then if there is another recommended option for Surface Pro 3's and/or
    other Windows 8.1 Tablets used in an enterprise environment.

    noctlos wrote:
    Using linux-3.18 and -3.19 kernels, with wayland/weston v. 1.7. In its own tty, i try to run weston, and I get the following stderr:
    Could anyone help me to figure this out? Thanks.
    Seems that the problem lies in libinput. Maybe you can report that upstream. I suggest you recompile libinput with debug info and do not strip the binaries to obtain better backtraces.
    Edit:
    I have also tried running `swc-launch -- velox`, and get the following error:
    Running on /dev/tty2
    velox: error while loading shared libraries: libinput.so.5: cannot open shared object file: No such file or directory
    Server exited with status 127
    Restoring VT to original state
    So, perhaps I am having some libinput trouble. Does this seem correct?
    Well, that's a different problem. libinput has several soname bumps because of API and ABI incompatibility. You have to rebuild swc against the newest libinput. (Although I'm not sure if swc developer updated the code to new API)
    Edit 2:
    Just to tack this on here for `gnome-session --session=gnome-wayland --debug`
    I'm not expert on this, it may be related to libinput problem. If you don't include GDK_BACKEND=wayland environment variable when launching gnome-wayland.
    Last edited by jdbrown (2015-03-01 08:04:39)

  • How can I add a bitlocker data recovery agent?

    Hi,
    I'm using an SCCM 2012 task sequence to encrypt laptop disks using bitlocker.
    If I want to add a data recovery agent, can I just configure a GPO with the specific DRA settings as shown here:
    http://sourcedaddy.com/windows-7/how-to-configure-data-recovery-agent.html ?           
    Or is there another method I should be using for SCCM 2012?
    Thanks     

    Yes, I know this is an old post, but I’m trying to clean them up.
    Did you solve this problem, if so what was the solution?
    Have you looked at MBAM?
    Garth Jones | My blogs: Enhansoft and
    Old Blog site | Twitter:
    @GarthMJ

  • IFolder 3.8.4 AutoAccount.xml setting for recovery agent

    hi,
    Does the AutoAccount.xml response file have setting for recovery agent setting on client.
    I would like to deploy ifolder client must using server default for the passphrase recover, rather sscert, sscert is much complex.
    Many thanks

    lywwing,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://forums.novell.com/

  • Urgent! Can't open encrypted file under the same user.

    My system is X61s, Windows XP pro sp3.
    There is no change of user account, no reinstallation or recovery of system.
    I used EPS encrypted some of my important files last month. Without any user account changes and system reinstallation I suddenly can not open the encrypted files anymore. I am aware that the change of user account or reinstalling the system will change the encrypted ID, then the encrypted file will not be opened unless there is a digital certificate of the user that encrypted the file. However I have been using the same user account since I bought the laptop and I have never reinstalled or recovered the system.
    I have tried to encrypted some other files and these files can be opened without any problem. But only the file that I encrypted about a month ago can not be opened.  Those are very important files for me. Can anyone help me to get my files back please!!!
    mod edit: moved to windows forum for better exposure.
    Message Edited by erik on 10-01-2008 11:51 PM

    hello you did not mention any error messages you were facing??
    i can only assume you are getting the follwing messages if you try to open an encrypted file...
    Cause: Encrypting File System (EFS) only works on files and folders on NTFS file system volumes. If the folder or file you are trying to encrypt is on a FAT or FAT32 volume, the Advanced button does not appear in the properties of that folder or file.
    Solution:
    Convert the volume to NTFS with the convert utility.
    Open command prompt
    Type:
    convert drive /fs:ntfs
    where drive is the drive letter of the intended drive.
    "the recovery policy configured for this system contains an invalid security certificate" or "BAD_RECOVERY_POLICY" OCCURS
    Cause: The Encrypting File System (EFS) recovery policy implemented on this computer contains one or more EFS recovery agent certificates that have expired. These certificates cannot be used.
    Solution:
    Either renew the existing certificates or generate new certificates for the EFS recovery agents and reapply the recovery agent policy with those certificates.
    the acess denied message occurs when trying to open an encrypted file
    Cause: The file was encrypted by Encrypting File System (EFS) using a public key certificate and the associated private key for this certificate is not available on this computer.
    Solution:
    Locate the private key for the appropriate certificate and import it onto this computer using the Certificates snap-in.
    Cheers and regards,
    • » νιנαソѕαяα∂нι ѕαмανє∂αм ™ « •
    ●๋•کáŕádhí'ک díáŕý ツ
    I am a volunteer here. I don't work for Lenovo

  • AD MIg question

    Hello All,
    we are in the process of upgrading our AD from 2008 r2  to 2k12 r2 and like to take experts opinion in this forum about the approach 
    we have multiple sites and two child domains under parent domain ( eg: bixel.com ( Root ) , physics.bixel.com, chemist.bixel.com
    ) which is spanned across 15 sites. 
    Question:
    how do we generally plan upgrade ?, do we upgrade FSMO first and then GC's or DC's ? or do we upgrade GC's , DC"s in all other sites and at the end upgrade FSMO role holders ?
    also are there any horror stories during upgrade process which i can take into consideration ?
    Any replication issues / trust issues ?

    Your plan sounds fine, and I assume that by saying upgrading the FSMO role holders first, that you are specifically going to run adprep on the Schema Master first, then upgrade that DC first, which I will assume that it's also the Domain Naming Master
    and a GC. Of course, you should upgrade the PDC immediately if you plan on cloning your virtualized DCs using the VM-GenID.
    Keep in mind, there are some things that have changed on 2012 R2, so you must keep them in mind.
    The info above, and much more, are all in the matrix in the following link that I think you should take a close look before you start:
    Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012
    http://technet.microsoft.com/en-us/library/hh994618.aspx
    Another thing to consider is DNS design to support the forest. How is DNS designed to support your child domains? Are the parent and child zones set to domain wide replication and each is delegated from the parent to the child and the child has a forwarder
    back to the parent, or are all zones set to forest wide replication? Here's what I mean:
    DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
    http://blogs.msmvps.com/acefekay/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation/
    Make sure all AV are disabled or better, uninstalled first.
    If using EFS...
    Back Up the Private Key of the Domain's EFS Recovery Agent
    http://technet.microsoft.com/en-us/library/cc755157(WS.10).aspx
    How to back up the recovery agent Encrypting File System (EFS) private key in Windows
    http://support.microsoft.com/kb/241201
    Are there any third party apps or services installed that need to be addressed for compatibility? Contact the vendor.
    Are all DCs in your forest a GC? IF not, did you move the IM role off a GC in each domain?
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Access Denied when trying to open a file that is encrypted on network share with EFS

    I just recently enabled EFS on the default domain policy and created a new network share, encrypted a file and added myself to that file and tried to open the file from my workstation.  I then receive an error "Access denied", I also tried
    to create a file and encrypt it on that same share and get an error "The requested operation cannot be completed.  The computer must be trusted for delegation and the current user account must be configured to allow delegation."  
    My steps.
    1. Enable group policy for EFS, removed the expired certificate that was already there and Created a new Data recovery agent.
    2. Created a network share, created a test file, enabled encryption on the file 
    3. certmgr.msc, personal and requested a new certificate, Basic EFS
    4. On the network share and properties of file, advanced, details and added the user
    5. from the workstation tried to access the file, Access Denied.  I can create any file I won't just can't add attributes to encrypt the file or open an encrypted file
    Now if I go to the server where the CA is located which is also the AD server and create share and run the same process it works as expected.  I'm guessing I have to export the cert from the CA server as a pfx and import that to both the server that
    has the network share and the workstation but that still doesn't seem to work.  Maybe I don't understand how EFS works and this is not possible?  Any suggestions would be appreciated.

    You are correct in not understanding how EFS works.
    When you connect to an encrypted file via a network share, the encryption/decryption takes place *on* the server. To enable over the network access, the server's computer account must be trusted for delegation.
    The server actually impersonates the user and creates a user profile on the server (containing the defined EFS certificate and private key). The important thing to remember is that the files is transmitted in clear text from the server to the client.
    See http://blogs.technet.com/b/instan/archive/2010/08/11/remote-efs-decryption-and-trusted-for-delegation-requirements.aspx
    Brian

  • Backup and Restore and Recovery

    I just recently ran the Backup for my NB255-N245 Notebook with Windows 7 Starter. I did not use the Online Backup but used a USB drive with 128GB of capacity. After doing this I was looking to see what was on the drive because it seemed only 2GB of space was used. I on see 2 items 1 named Notebook and another file MediaID.bin. I am curious what is on this drive and what can be restored or recovered with it? I was originally trying to make a copy of the C drive so I could restore it from the original files, if I am explaining that correctly. This being I think there may be a corrupted file somewhere.  I did find out apparently recovery disks seem to be needed to do what I was going to do but not sure if that is correct?

    There is a lot of information around, but I will try to explain it in simple terms from my head (sorry, I won't provide links).
    Anyway, here is how it is supposed to work.
    You must create a user who will be designated as a Data Recovery Agent (DRA).
    Do the following on a domain joined workstation - could be a VM.
    Encrypt a file using this account so that EFS certificate is created for the DRA.
    Export the certificate and export private key. Delete private key during the export. 
    Save the exported certificate into the safe. Delete exported certificate from the workstation. Optionally, if it was a VM, delete a VM too.
    This leaves you with account for DRA that only has the public key, but not the private key. This user can encrypt EFS files, but cannot read them. This is your DRA account. You don't use it for anything else but as a DRA.
    So, configure Data recovery policy, using your prepared account as DRA.
    That's all.
    When you need to recover files, get a new (clean) domain joined workstation - could be a VM.
    Get certificate from the safe.
    Create a new user JohnDoe.
    Import a certificate from the safe to JohnDoe.
    Now JonhnDoe has both private and public key and can read EFS encrypted data.
    Decrypt the data as you like.
    When you are finished, destroy JohnDoe and workstation (VM).
    HTH

  • Escrow the recovery key in DB server and not in AD when removable drive is encrypted.

    Is there any way to escrow the recovery key in the database server and not in AD when removable drive (USB drive) is encrypted via manage-bde command line? The data recovery agent is not enabled in our organization. 
    "Choose how bitlocker protected removable Drives can be recovered" for removable drives is disabled in our Group policy also.
    Please advise. Thank you.

    As far as I am concerned, you cannot do that when you are using the command line "Manage-bde".
    The reason is because, the manage-bde command line parameters doesn't support saving recovery keys to databases. Also there is not any group policy defined for it.
    I you want an option to save recovery keys in a database rather than the AD, I would recommend to use MBAM (Microsoft Bitlocker Administration and Monitoring).
    Gaurav Ranjan

  • Drive Recovery Using DRA on another Computer Shows No Protectors

    We are rolling out a new series of laptop using MBAM 2.5 next week. We are encrypting the OS drive with 256bit encryption using MBAM GPOs and use TPM+PIN. We have also setup DRAs via GPO, which was done on our previous generation of laptops, but
    without MBAM. We are able to recover a drive using the recovery password. Manage-bde -protectors -get c: on the laptop shows all the correct protectors. When I remove the disk drive and put it in a USB carrier and plug it into a similarly configured laptop
    to decrypt the drive via DRA, the drive shows as unformatted and a showing of protectors for the drive lists no protectors. I don't understand. We have done this same process for several years with our previous generation of laptops. I am stumped.

    You may want to check the settings configured for the policy “Choose how BitLocker-protected operating system drives can be recovered”
    From Planning for MBAM 2.5 Group Policy Requirements
    Suggested configuration: Not Configured
    Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).
    When this policy is not configured, the data recovery agent is allowed, and recovery information is not backed up to AD DS.
    MBAM operation does not require recovery information to be backed up to AD DS.
    Brandon
    MDOP on the Springboard Series on TechNet

  • MBAM bitlocker-protected removable drives recovery keys saved on sql database not active directory

    Hi Guys
    I need help in saving bitlocker protected removable drives on the sql database instead of active directory .
    I have tried to play around with the policy and I am not winning , currently my GPO : Choose how bitlocker-protected removable drives can be recovered has only the allow data recovery agent chosen and I have left out all the AD DS option unticked
    Please point me in the right direction on how to achieve this , I want all my keys in a SQL database so the users can recover the keys themselves using the mbam helpdesk website

    Under client management, define your endpoint URLs. You can see the help and the description section for that particular policy. Copy and paste the URL removing the port number and replace the name of the Server with that of your MBAM Web server.
    Also, Disable or don't configure the policy "Choose how bitlocker protected removable Drives can
    be recovered".
    This will save your recovery keys to the MBAM DBs.
    Gaurav Ranjan

  • Windows Recovery Boot Key(configured using ReAgentc.exe) is not activate before passing OOBE setup after using windows Recovery.

    I have deployed image window 7 image with factory reset on separate partition. I am able to recover the solution to factory fresh install but the problem i see here is after recovering to full reset. After booting when OOBE is starting , In case this OOBE
    is disturbed like power down or any manual interruption. On Next boot window installation error pops up and also Function boot key which i set using ReAgentc.exe also not working.  I get window error Recovery follower with below errror
    During this time Fn Key[F11 using ReAgentc.exxe) I have configured for Windows Recovery is not working.
    Implementation Detail:
    Installing OS:
    1. create partition
    1. par 1 = Recovery partition = Label(R),set iD=27
    2. System Boot partition = Label(S)
    3. Window partition = label(W)
    2. Copy Image to Recovery partition == R:\Recovery\WindowsRE\Install.wim,WinRe.Wim and Boot.sdi
    3. Apply Image to W:\ using Image X tool
    4. setting boot path W:\windows
    5. Setting Recovery option to Fn11 key
    W:\Windows\System32\ReAgentc.exe /SetReImage /Target W:\Windows /Path R:\Recovery\WindowsRE /BootKey 0x8500
    W:\Windows\System32\ReAgentc.exe /SetOsImage /Target W:\Windows /Path R:\Recovery\WindowsRE
    Factory Resetting Implementation:
    1. Assign back all label to respective partition
    2. format Drive W:\ and apply Install.wim from R:\Recovery\WindowsRE using Imagex tool
    3.Deleting Boot Enviroment W:\Windows\System32\Bcdboot.exe W:\windows /l EN-US /s S:
     4. Setting Recovery 
    W:\Windows\System32\ReAgentc.exe /SetReImage /Target W:\Windows /Path R:\Recovery\WindowsRE /BootKey 0x8500
    W:\Windows\System32\ReAgentc.exe /SetOsImage /Target W:\Windows /Path R:\Recovery\WindowsRE
    5.Shutdown
    Steps to repro:
    1. Install Factory Setting by pressing F11
    2. During OOBE , Plug out the power.
    Issue. Recovery partion is not accessible using registered Function Key F11
    Any help will be great help

    Modified  instruction from this tutorial.
    I have replaced Setting Recovery Agent code by below lines. It working as expected. Still I haven't tested all corner case. But it resolved my problem in my code
    R is Partition where my Recovery Option resides.
    bcdedit.exe /CREATE {ramdiskoptions} /d "Ramdisk Options"
    bcdedit.exe /SET {ramdiskoptions} ramdisksdidevice partition=R:
    bcdedit.exe /SET {ramdiskoptions} ramdisksdipath \Recovery\WindowsRE\boot.sdi
    for /f "tokens=2 delims={}" %%g in ('bcdedit.exe /create /d "W7 Recovery" /application osloader') do (set guid={%%g})
    echo %guid%
    bcdedit.exe /SET %guid% device ramdisk=[R:]\Recovery\windowsRE\Winre.wim,{ramdiskoptions}
    bcdedit.exe /SET %guid% path \Windows\system32\winload.exe
    bcdedit.exe /SET %guid% osdevice ramdisk=[R:]\Recovery\windowsRE\Winre.wim,{ramdiskoptions}
    bcdedit.exe /SET %guid% systemroot \windows
    bcdedit.exe /SET %guid% winpe yes
    bcdedit.exe /SET %guid% detecthal yes
    bcdedit.exe /SET %guid% nx OptIn
    bcdedit.exe /SET {globalsettings} extendedinput 1
    bcdedit.exe /SET {BOOTMGR} custom:0x54000001 %guid%
    bcdedit.exe /SET {BOOTMGR} customactions 0x1000085000001 0x54000001

  • Manual Recovery Queue

    When messages end up on the manual recovery queue the operator needs to intervene.
    I thought I read somewhere there was a recovery agent that can be configured to automatically recover the messages.
    Does anyone know if this is true.
    Pete

    For invocation msgs. Similar for other cases. Just an example.
    import com.oracle.bpel.client.IBPELDomainHandle;
    import com.oracle.bpel.client.IBPELProcessHandle;
    import com.oracle.bpel.client.IDeliveryConstants;
    import com.oracle.bpel.client.IInvokeMetaData;
    import com.oracle.bpel.client.Locator;
    import com.oracle.bpel.client.NormalizedMessage;
    import com.oracle.bpel.client.ServerException;
    import com.oracle.bpel.client.delivery.IDeliveryService;
    import com.oracle.bpel.client.util.SQLDefs;
    import com.oracle.bpel.client.util.WhereCondition;
    import java.util.Hashtable;
    import com.evermind.server.rmi.RMIInitialContextFactory;
    public class BpelRecovery
    private Locator locator = null;
    public BpelRecovery() throws Exception
    Hashtable ctx = new Hashtable();
    ctx.put("orabpel.platform", "oc4j_10g");
    ctx.put("java.naming.factory.initial", "com.evermind.server.rmi.RMIInitialContextFactory");
    ctx.put("java.naming.provider.url", "ormi://localhost/orabpel");
    ctx.put("java.naming.security.principal", "admin");
    ctx.put("java.naming.security.credentials", "welcome");
    try
    System.out.println ("Connecting to BPEL...");
    locator = new Locator("default","bpel", ctx);
    IDeliveryService deliveryService = (IDeliveryService)locator.lookupService(IDeliveryService.SERVICE_NAME );
    catch (Exception e)
    e.printStackTrace();
    throw new Exception ("Failed to connect to BPEL, caused by " + e.getMessage());
    public void recovery() throws Exception
    IBPELProcessHandle[] pcs = locator.listProcesses();
    StringBuffer buf = new StringBuffer();
    WhereCondition where = new WhereCondition( buf.append(SQLDefs.IM_state)
    .append( " = " )
    .append( IDeliveryConstants.STATE_UNRESOLVED )
    .toString() );
    IInvokeMetaData[]imd = locator.listInvokeMessages(where);
    String[] ids = new String[imd.length];
    for (int i = 0; i < imd.length; i++)
    System.out.println("ConversationId=" + imd.getConversationId());
    System.out.println("ProcessId=" + imd[i].getProcessId());
    System.out.println("State=" + imd[i].getState());
    ids[1] = imd[i].getConversationId();
    locator.lookupDomain().recoverInvokeMessages(ids);
    public static void main(String[] args) throws Exception
    BpelRecovery recovery = new BpelRecovery();
    recovery.recovery();
    System.out.println("done");

  • Slow log on with Windows XP / Active directory

    Hi
    I have been trying to work out what is causing my computers to take a long time to log on. The computers are Windows XP and take roughly a 1minute to log on(at worse).
    I have turned on  userenv debugging and reviewed the files. I think the problem may be related to DNS but not 100% sure.
    Please could someone review the log below and see if I am looking in the right direction. Thanks (I've cut the log down slightly)
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CheckGPOs: No GPO changes but couldn't read extension EFS recovery's status or policy time.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Extension EFS recovery skipped with flags 0x6.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Processing extension 802.3 Group Policy
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CheckGPOs: No GPO changes but couldn't read extension 802.3 Group Policy's status or policy time.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Extension 802.3 Group Policy skipped with flags 0x6.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Processing extension Group Policy Printers
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CheckGPOs: No GPO changes but couldn't read extension Group Policy Printers's status or policy time.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Extension Group Policy Printers skipped because both deleted and changed GPO lists are empty.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Processing extension Group Policy Shortcuts
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CheckGPOs: No GPO changes but couldn't read extension Group Policy Shortcuts's status or policy time.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Extension Group Policy Shortcuts skipped because both deleted and changed GPO lists are empty.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Processing extension Microsoft Offline Files
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CheckGPOs: No GPO changes but couldn't read extension Microsoft Offline Files's status or policy time.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Extension Microsoft Offline Files skipped with flags 0x6.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Processing extension Software Installation
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:000 CheckGPOs: No GPO changes but couldn't read extension Software Installation's status or policy time.
    USERENV(36c.a98) 15:23:07:000 ProcessGPOs: Extension Software Installation skipped because both deleted and changed GPO lists are empty.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension Internet Explorer Machine Accelerators
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension Internet Explorer Machine Accelerators's status or policy
    time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension Internet Explorer Machine Accelerators skipped because both deleted and changed GPO lists
    are empty.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension IP Security
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension IP Security's status or policy time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension IP Security skipped with flags 0x6.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension Group Policy Internet Settings
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension Group Policy Internet Settings's status or policy time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension Group Policy Internet Settings skipped because both deleted and changed GPO lists are
    empty.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension Group Policy Start Menu Settings
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension Group Policy Start Menu Settings's status or policy time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension Group Policy Start Menu Settings skipped because both deleted and changed GPO lists are
    empty.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension Group Policy Regional Options
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension Group Policy Regional Options's status or policy time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension Group Policy Regional Options skipped because both deleted and changed GPO lists are
    empty.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension Group Policy Power Options
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension Group Policy Power Options's status or policy time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension Group Policy Power Options skipped because both deleted and changed GPO lists are empty.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: -----------------------
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Processing extension Group Policy Applications
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CompareGPOLists:  The lists are the same.
    USERENV(36c.a98) 15:23:07:015 CheckGPOs: No GPO changes but couldn't read extension Group Policy Applications's status or policy time.
    USERENV(36c.a98) 15:23:07:015 ProcessGPOs: Extension Group Policy Applications skipped because both deleted and changed GPO lists are empty.
    USERENV(36c.a98) 15:23:07:015 SetFgRefreshInfo: Previous User Fg policy Synchronous, Reason: NonCachedCredentials.
    USERENV(36c.a98) 15:23:07:015 SetFgRefreshInfo: Next User Fg policy Asynchronous, Reason: NoNeedForSync.
    USERENV(36c.a98) 15:23:07:031 ProcessGPOs: No WMI logging done in this policy cycle.
    USERENV(36c.a98) 15:23:07:031 LeaveCriticalPolicySection: Critical section 0x80c has been released.
    USERENV(36c.a98) 15:23:07:031 ProcessGPOs: User Group Policy has been applied.
    USERENV(36c.a98) 15:23:07:031 ProcessGPOs: Leaving with 1.
    USERENV(36c.a98) 15:23:07:031 ApplyGroupPolicy: Leaving successfully.
    USERENV(36c.ed8) 15:23:07:031 GPOThread:  Next refresh will happen in 103 minutes
    USERENV(36c.ee4) 15:23:07:031 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(36c.650) 15:23:07:031 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(36c.370) 15:23:07:187 IsSyncForegroundPolicyRefresh: Asynchronous, Reason: NoNeedForSync
    USERENV(36c.f40) 15:23:07:187 IsSyncForegroundPolicyRefresh: Asynchronous, Reason: NoNeedForSync
    USERENV(36c.f40) 15:23:07:187 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(f00.f04) 15:23:07:265 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
    USERENV(c4.c0) 15:23:07:500 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
    USERENV(118.7c) 15:23:07:671 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
    USERENV(3a8.3cc) 15:23:07:765 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(3a8.3cc) 15:23:07:765 GetUserNameAndDomain Failed to impersonate user
    USERENV(3a8.3cc) 15:23:07:781 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(3a8.3cc) 15:23:07:781 GetUserDNSDomainName: Failed to impersonate user
    USERENV(3a8.3cc) 15:23:07:781 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(c4.c0) 15:23:07:796 GetProfileType:  Profile already loaded.
    USERENV(c4.c0) 15:23:07:812 GetProfileType: ProfileFlags is 0
    USERENV(888.890) 15:23:07:843 LibMain: Process Name:  C:\WINDOWS\Explorer.EXE
    USERENV(434.9c) 15:23:07:921 LibMain: Process Name:  C:\WINDOWS\system32\WgaTray.exe
    USERENV(434.9c) 15:23:07:921 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(434.9c) 15:23:07:968 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(888.978) 15:23:08:046 GetProfileType:  Profile already loaded.
    USERENV(888.978) 15:23:08:046 GetProfileType: ProfileFlags is 0
    USERENV(888.978) 15:23:08:046 GetProfileType:  Profile already loaded.
    USERENV(888.978) 15:23:08:046 GetProfileType: ProfileFlags is 0
    USERENV(888.9d4) 15:23:08:078 GetProfileType:  Profile already loaded.
    USERENV(888.9d4) 15:23:08:078 GetProfileType: ProfileFlags is 0
    USERENV(710.3a0) 15:23:08:156 LibMain: Process Name:  C:\WINDOWS\system32\wbem\wmiprvse.exe
    USERENV(51c.67c) 15:23:09:640 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(51c.67c) 15:23:09:671 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(e78.b00) 15:23:10:750 LibMain: Process Name:  C:\WINDOWS\system32\RUNDLL32.EXE
    USERENV(e14.e20) 15:23:11:125 LibMain: Process Name:  C:\WINDOWS\Creator\Remind_XP.exe
    USERENV(43c.b5c) 15:23:11:125 LibMain: Process Name:  C:\WINDOWS\system32\RUNDLL32.EXE
    USERENV(e14.e20) 15:23:11:250 GetProfileType:  Profile already loaded.
    USERENV(e14.e20) 15:23:11:250 GetProfileType: ProfileFlags is 0
    USERENV(a64.b50) 15:23:11:437 LibMain: Process Name:  C:\WINDOWS\system32\mobsync.exe
    USERENV(fc8.ac) 15:23:12:015 LibMain: Process Name:  C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    USERENV(54c.550) 15:23:13:515 LibMain: Process Name:  C:\WINDOWS\system32\ctfmon.exe
    USERENV(54c.550) 15:23:13:968 GetProfileType:  Profile already loaded.
    USERENV(54c.550) 15:23:14:093 GetProfileType: ProfileFlags is 0
    USERENV(9e0.9dc) 15:23:15:109 LibMain: Process Name:  C:\WINDOWS\system32\imapi.exe
    USERENV(888.978) 15:23:17:421 GetProfileType:  Profile already loaded.
    USERENV(888.978) 15:23:17:421 GetProfileType: ProfileFlags is 0
    USERENV(51c.67c) 15:23:17:656 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(36c.efc) 15:23:22:031 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(f68.970) 15:23:22:250 LibMain: Process Name:  C:\WINDOWS\system32\NOTEPAD.EXE
    USERENV(d0.f28) 15:23:22:312 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
    USERENV(eec.f18) 15:28:16:531 LibMain: Process Name:  C:\Program Files\AVG\AVG10\avgdiagex.exe
    USERENV(71c.f5c) 15:32:30:703 LibMain: Process Name:  C:\Program Files\OCS Inventory Agent\ocsinventory.exe
    USERENV(71c.f5c) 15:32:30:703 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(71c.f5c) 15:32:30:703 GetUserNameAndDomain Failed to impersonate user
    USERENV(71c.f5c) 15:32:30:718 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(71c.f5c) 15:32:30:718 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(71c.f5c) 15:32:30:750 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(71c.f5c) 15:32:30:750 GetUserNameAndDomain Failed to impersonate user
    USERENV(71c.f5c) 15:32:30:750 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(71c.f5c) 15:32:30:750 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(71c.f5c) 15:32:30:796 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(71c.f5c) 15:32:30:968 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(71c.f5c) 15:32:31:000 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(71c.f5c) 15:32:31:000 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(93c.97c) 15:32:55:609 LibMain: Process Name:  C:\Program Files\AVG\AVG10\avgcmgr.exe
    USERENV(534.4b8) 15:34:01:421 LibMain: Process Name:  C:\Program Files\OCS Inventory Agent\ocsinventory.exe
    USERENV(534.4b8) 15:34:01:421 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(534.4b8) 15:34:01:421 GetUserNameAndDomain Failed to impersonate user
    USERENV(534.4b8) 15:34:01:421 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(534.4b8) 15:34:01:421 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(534.4b8) 15:34:01:437 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(534.4b8) 15:34:01:437 GetUserNameAndDomain Failed to impersonate user
    USERENV(534.4b8) 15:34:01:437 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(534.4b8) 15:34:01:437 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(534.4b8) 15:34:01:484 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(534.4b8) 15:34:01:640 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(534.4b8) 15:34:01:671 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(534.4b8) 15:34:01:687 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(224.7c8) 15:34:20:968 GetUserDNSDomainName:  MyGetUserNameEx failed for NameDnsDomain style name with 5
    USERENV(224.7c8) 15:34:20:968 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(224.7c8) 15:34:22:562 GetUserDNSDomainName:  MyGetUserNameEx failed for NameDnsDomain style name with 5
    USERENV(224.7c8) 15:34:22:562 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(224.7c8) 15:34:22:562 GetUserDNSDomainName:  MyGetUserNameEx failed for NameDnsDomain style name with 5
    USERENV(224.7c8) 15:34:22:562 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(fb4.dc4) 15:35:54:140 LibMain: Process Name:  C:\Program Files\OCS Inventory Agent\ocsinventory.exe
    USERENV(fb4.dc4) 15:35:54:140 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(fb4.dc4) 15:35:54:140 GetUserNameAndDomain Failed to impersonate user
    USERENV(fb4.dc4) 15:35:54:140 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(fb4.dc4) 15:35:54:140 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(fb4.dc4) 15:35:54:140 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(fb4.dc4) 15:35:54:140 GetUserNameAndDomain Failed to impersonate user
    USERENV(fb4.dc4) 15:35:54:156 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(fb4.dc4) 15:35:54:156 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(fb4.dc4) 15:35:54:187 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(fb4.dc4) 15:35:54:343 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(fb4.dc4) 15:35:54:375 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(fb4.dc4) 15:35:54:390 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(94c.e78) 15:37:21:812 LibMain: Process Name:  C:\Program Files\OCS Inventory Agent\ocsinventory.exe
    USERENV(94c.e78) 15:37:21:812 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(94c.e78) 15:37:21:812 GetUserNameAndDomain Failed to impersonate user
    USERENV(94c.e78) 15:37:21:812 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(94c.e78) 15:37:21:828 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(94c.e78) 15:37:21:828 ImpersonateUser: Failed to impersonate user with 5.
    USERENV(94c.e78) 15:37:21:828 GetUserNameAndDomain Failed to impersonate user
    USERENV(94c.e78) 15:37:21:828 GetUserDNSDomainName:  Domain name is NT Authority.  No DNS domain name available.
    USERENV(94c.e78) 15:37:21:828 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(94c.e78) 15:37:21:890 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(94c.e78) 15:37:22:031 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(94c.e78) 15:37:22:078 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(94c.e78) 15:37:22:078 ProcessAutoexec: Cannot process autoexec.bat.
    USERENV(ad4.764) 15:39:07:424 LibMain: Process Name:  C:\WINDOWS\system32\verclsid.exe

    Hi
    IT is taking 5 mins after Userinit process. There might be issue with that also.
    Userinit isresponsible for reconnecting network drives, running logon scripts, etc. I would guess that something of that nature is actually causing the delay. Isolate the user/computer account in an OU with block inheritance set and see if the issue continues.
    Also, do you have any logon scripts or mapped drives set on the user account? If so, you may want to remove those and see if that helps the issue. If so you may have a problem with slow network connectivity.
    You can also try
    How to perform advanced clean-boot troubleshooting in Windows XP 
    http://support.microsoft.com/kb/316434
    In addition to above suggestion, the following two links might be helpful for you to resolve the issue.
    http://blogs.technet.com/askds/archive/2009/09/23/so-you-have-a-slow-logon-part-1.aspx
    http://blogs.technet.com/askds/archive/2009/09/23/so-you-have-a-slow-logon-part-2.aspx

Maybe you are looking for

  • Ipod will not update from library after transfer from one PC to another?!?

    I recently transfered my itunes library from one PC to another using the ipod hard drive and according to the directions listed on this site. All went smooth and roughly 12GB of music transferred. After all music was successfully transfered to the li

  • Sql queries for date and year

    Hi Friends, I Have a view named - item_sales with 4 column Item code Item name Transaction_YYYYMM (Date stored in YYYYMM format ) QTY_RECEIVED QTY_SOLD Sample data is ITEM_CODE ITEM NAME  TRANSACTION_YYYMM     QTY_RECD    QTY_SOLD AX             TSHI

  • HT1600 Apple TV (3rd generation) cannot update

    Recently, my Apple TV (3rd generation) showed that I can update it. But while updating, it showed, "update was not successful". I have tried restart and restore it, but it did not work as well Do you guys have any ideas about how can I fix it ?

  • Why are some pictures blurred in IMovie slideshow

    I have used IMovie to make slideshows mixed with videos for years. I have even made one recently which was perfect. Suddenly, some of the photos, though crystal clear in the timeline are blurred when set in motion. Certain transitions seem to cause t

  • Need help displaying rank of records in report

    Post Author: tpoland CA Forum: General I have a report that is contains summary information that needs to be ranked at the summary level based on performance.*note, this data is completely fictional Company Location Dealer Volume Walkin Volume CarQue