Re: Recover EFS Files

From: Steven L Umbach (n9rou@attbi.com)
Date: 02/19/03


From: "Steven L Umbach" <n9rou@attbi.com>
Date: Wed, 19 Feb 2003 01:47:41 GMT


         Jason. I did think of one more thing. If you did not do this
already you might try unjoining from domain one more time. Then reboot
computer and check local security policy on that workstation to see if the
local administrator (not domain administrator) recovery certificate is
defined as the recovery agent under public key policies/encrypted file
system for the computer. If there is an administrator certificate there
examine it to make sure it is the correct one If it is not there then you
will have to export from the certificate store as a .cer file and add it to
the policy. Possibly joining/unjoining the domain may have changed the
recovery agent policy on the local machine from what it originally was---
Steve

"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:cRA4a.153830$2H6.3082@sccrnsc04...
> I can't think of anything else right now. I think private keys are
> stored somewhere in user profile (not in a form recoverable AFAIK) and as
> long as the profiles were not overwriten then access should still be
> allowed. I also read that if a users password is reset that they will
loose
> access to efs. I know XP warns about this when attempting to reset a
> password. If you figure it out please let us know. Good luck. --- Steve
>
> "Jason Olson" <jason@tj-myers.com> wrote in message
> news:i1l55vcdpt960vdfhl4vktjl5a32u4v2v2@4ax.com...
> > Thanks Steve, I forgot to mention that I've tried to log on as the
> > user and administrator (in BOTH local and domain accounts).
> >
> > You're correct about the local admin 'should' be able to decrypt the
> > information, but I think something must have gotten mucked up in the
> > change from workgroup -> domain. I also tried reversing back from
> > domain -> workgroup --- no effect.
> >
> > Any other ideas.
> >
> > On Wed, 19 Feb 2003 00:45:03 GMT, "Steven L Umbach" <n9rou@attbi.com>
> > wrote:
> >
> > > Is the user logging onto the local machine and not the domain??
> Did
> > >you try to log ono the computer as local administrator and try to
decrypt
> > >files?? The local administrator should have been the recovery agent for
> > >those files. --- Steve
> > >
> > >"Jason" <jason@hillside.orgq> wrote in message
> > >news:080901c2d7ae$861d1750$3301280a@phx.gbl...
> > >> Okay, here we go. The My Documents directory of a user was
> > >> encrypted while the Windows 2000 Pro box was a stand alone
> > >> system. Later, it was joined to a Windows 2000 Domain.
> > >> After that point, the files were no longer accessable.
> > >> Using efsinfo on one of the files, we find....
> > >>
> > >> c:\ efsinfo /c file.doc
> > >>
> > >> file.doc: Encrypted
> > >> Users who can decrypt:
> > >> ComputerName\UserName (OU=EFS File Encryption
> > >> Certificate, L=EFS, CN=UserName)
> > >> Certificate thumbprint: xxxx xxxx xxxx xxxx xxxx xxxx
> > >> xxxx xxxx xxxx A8CD
> > >>
> > >> then using....
> > >>
> > >> c:\efsinfo /y
> > >>
> > >> Your current EFS certificate thumbnail information on the
> > >> PC named ComputerName is:
> > >>
> > >> xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx A8CD
> > >>
> > >> SO, it appears that this user should be able to decrypt
> > >> the file, even the thumbnails match. However when
> > >> attempting to access the file, no good. Also when
> > >> attempting to change the properties from EFS, no good.
> > >>
> > >> Whatever help you can offer is greatly apprecaited.
> > >>
> > >> Jason
> > >
> >
>
>



Relevant Pages

  • Re: Remove Administrator Account from Administrators Group
    ... "Mathieu CHATEAU" wrote in message ... that there might be a policy for it somewhere. ... Our security officer would like us to either remove the local Administrator account from the group policy, or push it down under a different name. ...
    (microsoft.public.windows.group_policy)
  • Re: Remove Administrator Account from Administrators Group
    ... As for the LAN man hash, is this the policy that you are referring to: ... Currently, the local Administrator ... the local Administrator account from the group policy, or push it down ... would not see the local Administrator account listed as a member, ...
    (microsoft.public.windows.group_policy)
  • Re: Remove Administrator Account from Administrators Group
    ... that there might be a policy for it somewhere. ... "Mathieu CHATEAU" wrote in message ... Our security officer would like us to either remove the local Administrator account from the group policy, or push it down under a different name. ...
    (microsoft.public.windows.group_policy)
  • Re: Software Restriction Hash
    ... Since it is a machine policy, ... Of course restricting any local administrator is extremely difficult as ... > The hash was created, in this case AOL V9, in the machine GP policy. ... > The path rule could be used, and I have not tried that yet. ...
    (microsoft.public.win2000.security)
  • Re: Local Admin Rights -> but no right to change the System Time?
    ... It is difficult to impossible to restict a local administrator who knows the ... The setting you are configuring is a machine policy, ... > In the Default Domain Policy i gave the Rights for Changing System Time ... > they're in the Local Admin Group). ...
    (microsoft.public.win2000.group_policy)