Re: Cannot Decrypt Files
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/20/05
- Previous message: Steven L Umbach: "Re: Norton AntiVirus Version Number Deception?"
- In reply to: CJ: "RE: Cannot Decrypt Files"
- Next in thread: Roger Abell: "Re: Cannot Decrypt Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 20 Mar 2005 12:15:30 -0600
You can use ntbackup to backup and retire EFS files to another location. A
regular copy will not work. Then you have to make sure that the Recovery
Agents certificate/private key are on the computer where the recovery is to
take place. It is not good enough to just logon as a domain administrator.
Not every domain administrator is a Recovery Agent - just the user specified
in the RA policy which in many cases is the built in administrator account
for the domain and that certificate/private key probably is on the first
domain controller installed for the domain which often is the pdc fsmo.
If you want to import the Recovery Agent certificate/private key to another
computer it must first be exported to a password protected .pfx file from a
computer where it exists or imported from a backup of the .pfx file after
the Recovery Agent user account logs onto the computer. The links below may
help. You can disable EFS domain wide or for a group of computers at the OU
level if you do not want domain computers to use EFS. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://support.microsoft.com/default.aspx?scid=kb;en-us;241201
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/encrypt_recovery_overview.htm
"CJ" <CJ@discussions.microsoft.com> wrote in message
news:C22CBCBA-67FA-4E27-8438-AD61DD4E0D04@microsoft.com...
>I would like to add that we used the efsinfo tool and found the users that
> encrypted the files and the certificate thumbprint numbers, but... it also
> says that it doesn't know which users can decrypt these files. And like I
> said, we've tried as domain admins. The users are no longer here and we
> are
> unsure where the particular system they used is not located (it's been
> several months since this user was terminated and the computers have all
> been
> moved around since then). What are our options?
>
> "CJ" wrote:
>
>> My tech group and I are rebuilding one of our site's servers. We've run
>> into
>> a bit of a snag, though, in backing up user folders and information in
>> that
>> some files and folders have been encrypted and will not copy to a remote
>> location. We are in the server as the domain admin which is a designated
>> data recovery agent, necessary to decrypt EFS files and folders. We ran
>> cipher with the following:
>>
>> cipher /d /s:d:\ /a
>>
>> And still we were unable to decrypt the files. Each time, it ran for
>> every
>> file and folder on the system, but when it came to the encrypted files,
>> we
>> received the error "Access is denied."
>>
>> We are banging our heads against a wall this evening... we did NOT expect
>> this situation. Any help would be appreciated. TIA!
- Previous message: Steven L Umbach: "Re: Norton AntiVirus Version Number Deception?"
- In reply to: CJ: "RE: Cannot Decrypt Files"
- Next in thread: Roger Abell: "Re: Cannot Decrypt Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
