Re: EFS and transparent file sharing on XP pro
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/29/05
- Next message: Jim: "Re: EFS and transparent file sharing on XP pro"
- Previous message: Jim: "Re: EFS and transparent file sharing on XP pro"
- In reply to: Jim: "Re: EFS and transparent file sharing on XP pro"
- Next in thread: Jim: "Re: EFS and transparent file sharing on XP pro"
- Reply: Jim: "Re: EFS and transparent file sharing on XP pro"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Apr 2005 10:20:53 -0700
First, get any files encrypted with the current EFS cert back
in the clear, unencrypted form.
You may then need to use the certificates mmc snapin to
remove the new, soon no longer needed certificate, so, with
all files in the clear, export the certificate and private key to
a .pfx file (safely tucked away in case you forgot to decrypt
some file) and then remove it.
Do not do any EFS operations until . . .
Then, use the same interface to reset the password back to
what it was.
If you are back in business, then
Use the Certificates interface to export (but not remove)
the now active EFS cert and private key.
Keep this not on the system but on some non-degrading
external storage (CD). If you had had one of these we
could have fixed you up directly with it.
Do not forget the password of the .pfx file !!
Next, use the User Accounts interface in control panel to
create a Password recovery floppy for the account.
In the future, in a non-domain environment alway _change_
the password, never _reset_ a password unless there is no
alternative. If you must reset a password, then importing
the previously saved EFS cert and key will be needed, as
well as cleaning out other certs that either are then "junk"
or new and potentially in the way.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Jim" <nobodyhome@antispam.tv> wrote in message news:OrJKu2NTFHA.2560@TK2MSFTNGP09.phx.gbl... > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:OyQzhiMTFHA.2548@TK2MSFTNGP14.phx.gbl... > > Don't forget about it unless you really want to, as there are only > > a couple of precautions you should take. > > > > So, this XP is not in a domain ? right? > > That seems implied from some of your post. > > > > This just happened, maybe yesterday, and out of the blue. > > > > Did you recently change the password of the account ? > > As the account is an admin it has two ways available to > > give it a different password. One, which is available to > > all accounts is to change it in the dialog that requires you > > to provide the old and new passwords. The other is the > > administrative reset of the password, which ask only for > > the new password. > > Yes. The password was changed via "computer management." > > > > > Using this last way will always break access to earlier > > EFS encrypted files of that account. > > If I reset the PW back to the original, can I recover my files? > > > > > After this happens, then the next attempt to encrypt a file > > will cause a new EFS certificate to be generated for that > > account. > > > > So, let us know if you did reset the password of the account > > and we can guide you back, or if you did not, then we can > > puzzle with you. > > I'm game.... > > > > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Jim" <nobodyhome@antispam.tv> wrote in message > > news:OBTnamJTFHA.616@TK2MSFTNGP12.phx.gbl... > > > Pardon the cross posting, but I don't know which group this problem > > belongs > > > in.... > > > > > > Yesterday, XP pro (for a reason I can't figure out yet) added a new > > > certificate for EFS for my userid. As a result, files encrypted AFTER > > that > > > period of time can be decrypted w/o problem. However, none of my old > > files > > > can not. "access denied" is the message I get. > > > > > > When I view "properties" of an older file and click on "advanced," and > > then > > > "details," I see the thumbprint of the user who can transparently access > > the > > > file. However, when I try to add or remove/add the new new thumbprint > > (ie., > > > to "share access"), I get error code 5. > > > > > > Error code 5 (says MS KB article 308991) occurs when the person > attempting > > > to share access is neither an administrator nor the person who > originally > > > encrypted the file. Well, my account is both in the administrator group > > AND > > > is the account that encrypted the file. > > > > > > In addition, and I don't know if this is relevant, but when I select > "add" > > > under the "Encryption Details" pane, a "Select User" pane opens up with > > both > > > my certificates listed. However, both certificates, when opened up have > a > > > red "X" on the icon with the text: "This CA root certificate is not > > > trusted. To enable trust, install this certificate in the trustee rood > > > certification authorities store." Is this related to my problem or is > > this > > > a domain only thing? > > > > > > My bottom line: I am looking for any ideas on how to add transparent > > access > > > so I can decrypt the files and get them OUT of EFS. > > > > > > Would using "system restore" work, stepping back to the > > > day-before-yesterday? > > > > > > After this, beliefe me, I intend to "forgeddaboutit" as far as EFS is > > > concerned. What a pain! > > > > > > Thanks in advance.... > > > > > > Regards, > > > Jim > > > > > > > > > > > >
- Next message: Jim: "Re: EFS and transparent file sharing on XP pro"
- Previous message: Jim: "Re: EFS and transparent file sharing on XP pro"
- In reply to: Jim: "Re: EFS and transparent file sharing on XP pro"
- Next in thread: Jim: "Re: EFS and transparent file sharing on XP pro"
- Reply: Jim: "Re: EFS and transparent file sharing on XP pro"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
