Re: Cannot Decrypt Files

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/20/05 

Date: Sun, 20 Mar 2005 13:22:00 -0700

Also, I notice it has been said that Domain Admin accounts
have been tried, and at least the one of the first post is said
to be DRA. But notice, by default Domain Admin accounts
are not DRA, the initial Administrator account is. So, if the
other have been so designated, in order to use them as DRA
one must import the DRA cert/key, which may have not been
done. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"CJ" <CJ@discussions.microsoft.com> wrote in message
news:C22CBCBA-67FA-4E27-8438-AD61DD4E0D04@microsoft.com...
> I would like to add that we used the efsinfo tool and found the users that
> encrypted the files and the certificate thumbprint numbers, but... it also
> says that it doesn't know which users can decrypt these files.  And like I
> said, we've tried as domain admins.  The users are no longer here and we
are
> unsure where the particular system they used is not located (it's been
> several months since this user was terminated and the computers have all
been
> moved around since then).  What are our options?
>
> "CJ" wrote:
>
> > My tech group and I are rebuilding one of our site's servers.  We've run
into
> > a bit of a snag, though, in backing up user folders and information in
that
> > some files and folders have been encrypted and will not copy to a remote
> > location.  We are in the server as the domain admin which is a
designated
> > data recovery agent, necessary to decrypt EFS files and folders.  We ran
> > cipher with the following:
> >
> > cipher /d /s:d:\ /a
> >
> > And still we were unable to decrypt the files.  Each time, it ran for
every
> > file and folder on the system, but when it came to the encrypted files,
we
> > received the error "Access is denied."
> >
> > We are banging our heads against a wall this evening... we did NOT
expect
> > this situation.  Any help would be appreciated.  TIA!

Relevant Pages

  • Re: Permission Problems
    ... Create a new account for this user as appropriate. ... We are running Windows 2003 SBS as a Domain Controller and Exchange Server. ... Today a new employee took over an old workstation and had the Domain Admin ... folders is if I go directly to the server and open them locally. ...
    (microsoft.public.windows.server.sbs)
  • Re: Big Problem w/ Admin accounts locked out
    ... domain administrator password. ... are you getting a lockout error on login or bad password? ... account (which has Domain Admin rights) to Server Management --> ...
    (microsoft.public.windows.server.sbs)
  • Re: "Is it possible to make it impossible for a domain admin to take ownership of a folder and
    ... XP and 2003 can encrypt with no DRA. ... >> else (including domain admin) can either change permissions, ...
    (microsoft.public.windows.server.security)
  • Re: restrict administrator to access system without my permission through rdp
    ... If you are saying that untrusted parties have Domain Admin accounts, ... Your best technical approach is to regain trusted control over your ... concerns over some critical systems like audit, hr so i just dont want ...
    (microsoft.public.windows.server.security)
  • Re: Big Problem w/ Admin accounts locked out
    ... using remote desktop with a power user account. ... account (which has Domain Admin rights) to Server Management --> Users, ... login but with it's lower privileges, we can't do anything with the ...
    (microsoft.public.windows.server.sbs)