Re: EFS and transparent file sharing on XP pro

From: Jim (nobodyhome_at_antispam.tv)
Date: 04/29/05 

Date: Fri, 29 Apr 2005 12:05:41 -0500

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OyQzhiMTFHA.2548@TK2MSFTNGP14.phx.gbl...
> Don't forget about it unless you really want to, as there are only
> a couple of precautions you should take.
>
> So, this XP is not in a domain ? right?
> That seems implied from some of your post.
>
> This just happened, maybe yesterday, and out of the blue.
>
> Did you recently change the password of the account ?
> As the account is an admin it has two ways available to
> give it a different password. One, which is available to
> all accounts is to change it in the dialog that requires you
> to provide the old and new passwords. The other is the
> administrative reset of the password, which ask only for
> the new password.

Yes. The password was changed via "computer management."

>
> Using this last way will always break access to earlier
> EFS encrypted files of that account.

If I reset the PW back to the original, can I recover my files?

>
> After this happens, then the next attempt to encrypt a file
> will cause a new EFS certificate to be generated for that
> account.
>
> So, let us know if you did reset the password of the account
> and we can guide you back, or if you did not, then we can
> puzzle with you.

I'm game....

>
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Jim" <nobodyhome@antispam.tv> wrote in message
> news:OBTnamJTFHA.616@TK2MSFTNGP12.phx.gbl...
> > Pardon the cross posting, but I don't know which group this problem
> belongs
> > in....
> >
> > Yesterday, XP pro (for a reason I can't figure out yet) added a new
> > certificate for EFS for my userid. As a result, files encrypted AFTER
> that
> > period of time can be decrypted w/o problem. However, none of my old
> files
> > can not. "access denied" is the message I get.
> >
> > When I view "properties" of an older file and click on "advanced," and
> then
> > "details," I see the thumbprint of the user who can transparently access
> the
> > file. However, when I try to add or remove/add the new new thumbprint
> (ie.,
> > to "share access"), I get error code 5.
> >
> > Error code 5 (says MS KB article 308991) occurs when the person
attempting
> > to share access is neither an administrator nor the person who
originally
> > encrypted the file. Well, my account is both in the administrator group
> AND
> > is the account that encrypted the file.
> >
> > In addition, and I don't know if this is relevant, but when I select
"add"
> > under the "Encryption Details" pane, a "Select User" pane opens up with
> both
> > my certificates listed. However, both certificates, when opened up have
a
> > red "X" on the icon with the text: "This CA root certificate is not
> > trusted. To enable trust, install this certificate in the trustee rood
> > certification authorities store." Is this related to my problem or is
> this
> > a domain only thing?
> >
> > My bottom line: I am looking for any ideas on how to add transparent
> access
> > so I can decrypt the files and get them OUT of EFS.
> >
> > Would using "system restore" work, stepping back to the
> > day-before-yesterday?
> >
> > After this, beliefe me, I intend to "forgeddaboutit" as far as EFS is
> > concerned. What a pain!
> >
> > Thanks in advance....
> >
> > Regards,
> > Jim
> >
> >
>
>

Relevant Pages

  • RE: EFS File Share Help
    ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ...
    (microsoft.public.windows.server.sbs)
  • Re: EFS Disabling
    ... >> I had to reinstall XP on a computer and so I copied my EFS ... They have the same account names ... > You must have exported your EFS security certificate (onto a floppy ... > claiming that if you included your profile in your backups that there ...
    (microsoft.public.security)
  • Re: Protecting Directories
    ... If you do, then only your account, and an optionally ... If you select to use EFS, then you should be certain that you ... For this your machine needs a smart card ... an issueing authority for the certificate on the card. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: EFS rollout using Active Directory
    ... I just have something to add to the Final Thought regarding laptop users: ... You can implement EFS on systems running Windows 2000 and Windows XP ... Stand-alone workstations generate their own public key certificate that you ... encrypt the contents of their files or folders. ...
    (Focus-Microsoft)
  • Re: EFS Errors
    ... Disabling DFS can disrupt your Group Policy propagation which may be causing ... your EFS errors if you have changed your Recovery Agent Certificate. ... I am able to encrypt on the server but noone is able to encrypt ...
    (microsoft.public.security)