Re: Cant decrypt w/admin acct
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/03/04
- Next message: Steven L Umbach: "Re: Windows 2000 Professional Group Security (Limit Scope)"
- Previous message: K: "Restrict Application access for my kid"
- In reply to: Dwayne: "Re: Cant decrypt w/admin acct"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 03 Mar 2004 16:00:30 GMT
Response inline.
"Dwayne" <anonymous@discussions.microsoft.com> wrote in message
news:5e3a01c400e8$f261e0d0$a401280a@phx.gbl...
>
> >-----Original Message-----
> >First off you need to rule out a permissions problem. I
> know you said you
> >have full access, but logon as the built in administrator
> account and make
> >sure you have explicit full controll to that folder as
> administrator and the
> >files themselves. If there is a file in that folder that
> you do not need,
> >try to deleted it as you can delete encrypted files with
> proper permissions
> >without being able to decrypt them which would indicate
> you have adequate
> >permissions. I think a user with full control should also
> be able to move
> >encrypted files on the same volume, but not copy them
> since copy requires
> >the file to be first decrypted.
> >
> >Have you reset [versus changed] your passwords, deleted
> or copied over your
> >profiles, or reinstalled the operating system?? Those
> will cause problems
> >with EFS. If you reset your password, try changing it
> back to what it was at
> >the time you encrypted the files. Resetting the password
> is a definite issue
> >in XP, but I am not sure about W2K with current service
> packs. By default
> >the recovery agent on a non domain machine is only the
> built in
> >administrator account - not just any account in the local
> administrators
> >group.
> >
> >Run mmc and select the certificate snapin for user and go
> to the
> >personal/certificates folder where you should see your
> EFS or recovery agent
> >certificate. On the general page look to see if it says
> you have the
> >corresponding private key for this certificate which is
> what is actually
> >used to decrypt the files. If the private key is
> available, go to the
> >details page to see the thumbprint and that it matches
> what efsinfo found
> >for your files. If all that checks out and you have not
> reset your password,
> >reinstalled the operating system, or deleted/copied over
> your profile, then
> >it may be possible that your EFS private keys have become
> corrupted
> >omehow. --- Steve
> >
> >
> >"Dwayne" <dhead97@aol.com> wrote in message
> >news:5a7801c4008c$1e0d0e10$a001280a@phx.gbl...
> >> Hello,
> >>
> >> Have no idea what happend. I have about 60 MSWord
> >> documents that at some point in time I applied the
> encrypt
> >> attribute to. Well I went to open one and it wont let
> me.
> >> I get the error that "User does not have access
> >> privledges." I did check to see I had access to it, and
> I
> >> show full priciledges. Heck I was the creator. Now I
> only
> >> have this account and the default admin account on this
> >> computer (Windows 2000 Professional as a standalone). I
> >> used this account to encypt them. I tried using the
> admin
> >> account since I read that it is the defualt Recovery
> >> Agent, but when I tried I get an error that simply
> >> says "Access Denied". I checked the certificates and
> they
> >> are valid and still in effect and the Recovery Agent
> Cert
> >> was still listed in the Trusted Certs folder in MMC.
> >>
> >> I also ran "efsinfo /r" on the folder and files and it
> >> says:
> >> Recovery Agents:
> >> Unknown (OU= EFS File Encryption Certificate, L=EFS,
> >> CN=Dwayne ******** (* =My last name)
> >>
> >> I Ran it with the /c option and got the following:
> >> Users Who Can Decrypt:
> >> Unknown (OU= EFS File Encryption Certificate, L=EFS,
> >> CN=Dwayne ******** (My last name)
> >> Certificate Thumbprint: FCD9 44C3 2B33 7650 07FC F5F7
> 6042
> >> 221A 1294 28C6
> >>
> >> OK does anyone know what the heck happened and how come
> I
> >> cant decrypt these files now or even with the Admin
> >> account??? I havent deleted any accounts or anything so
> >> there shouldnt have been any keys deleted or whatever.
> >> Trying to understand this the best that I can with what
> I
> >> have read today about how this works. I was under the
> >> impression I should be able to recover the files with
> the
> >> Admin account since it is supposed to be a default
> >> Recovery Agent. Well hope someone can help me out here.
> >> Hopefully I provided enough info here on what I have
> done
> >> so far. Thank you
> >>
> >> Dwayne
>
If you can delete the files then you seem to have proper permissions to the folder.
The certificate is a "key pair" in that the certificate is used to encrypt the files
and the associated private key is used to decrypt the files which is why it must also
be on the computer, so you are not missing anything but since the thumprints do not
match you are pretty much out of luck unfortuneately if the thumbprints for all the
files do not match your certificate. Be sure to try to use the built in administrator
account if you have not already as that account is the default recovery agent for a
W2K workgroup computer. Good luck. --- Steve
]>
> Thanks for the advice. I checked the folder like you said
> and yes I can delete any of the files but I cannot copy
> any of them outside of the folder. I also checked the
> certificates under local certificates and there was only
> one listed for my user name which was to allow encyption.
> I clicked details and no it doesnt match the thumbnail
> print from using efsinfo. But seeing as it was the only
> one listed, shouldnt there be one listed for decrypting
> also? I thought about the passwords, and since I am unsure
> exacly when I encrypted them, I have only ever used one
> password and no longer use it. I also tried that. Tried
> reusing the same password but it didnt help anything. I
> noticed one thing though.
>
> On the certificates page and details section the only cert
> I had for encrypting installes siad that it wasnt trusted
> becuase it wasnt also located in the trusted folder. So I
> copied it there and then it said it was trusted no back on
> the main details page, but that didnt help either. Well I
> dont know what else to do. LOL Guess I will have to retype
> all those word documents over again.
>
> I did go to the website of the previous poster to my
> original thread and downaloaded the program. I put in my
> user name and password I used to use and also the name
> without the password and also the admin name and password,
> then choose to find all encypted files. Well it did find
> them all. But then colored them pink and said that they
> couldnt be decrypted. LOL OK trying to find some humor.
> Well I wish I knew the lesson here, but I am unsure what
> went wrong since I have not changed anything on the sys
> except not using a password on this user account and the
> comp is in my home. I think basically I will never encypt
> again, and succumb to the fact that I am going to have to
> retype all 63 documents. :-(
> Dwayne
>
- Next message: Steven L Umbach: "Re: Windows 2000 Professional Group Security (Limit Scope)"
- Previous message: K: "Restrict Application access for my kid"
- In reply to: Dwayne: "Re: Cant decrypt w/admin acct"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
