Re: EFS and transparent file sharing on XP pro

From: Jim (nobodyhome_at_antispam.tv)
Date: 04/29/05 

Date: Fri, 29 Apr 2005 12:18:17 -0500

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23muiVdMTFHA.3540@TK2MSFTNGP10.phx.gbl...
> Use the mmc [mmc in run box] snapin for certificates for user to view your
> personal certificates under the personal/certificates folder. See if you
> have certificates for EFS and the first page of certificate properties
must
> show "you have a private key that corresponds to this certificate".

Yes.

And "details" pane shows the key, which appears to be "good."

>It
> almost sounds like your original EFS certificate/private key has been
> deleted or severely corrupted. If the operating system was reinstalled
then
> very possibly the original certificate/private key has been deleted.

A long time ago, the operating system was rebuilt after a HD failure. But
I've been encrypting and decrypting old and new files since then.

>EFS
> best practices are that users must export their certificate and private
key
> to a password protected .pfx file or loss to data can be permanent.
Efsinfo
> can also be used to find more information about any EFS files and the
> existence of a Recovery Agent which may be possible particularly if you
are
> in an Active Directory domain. --- Steve

This computer is in a workgroup and not a domain.

"efsinfo" shows that my account can decrypt.

And (as noted) in my reply to Roger (Message-ID:
<OyQzhiMTFHA.2548@TK2MSFTNGP14.phx.gbl>), I did change my account password
at or after the time I encrypted the most recent file (per timestamp) that I
cannot access. "New" files decrypt fine.

>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243026
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
>
> "Jim" <nobodyhome@antispam.tv> wrote in message
> news:OBTnamJTFHA.616@TK2MSFTNGP12.phx.gbl...
> > Pardon the cross posting, but I don't know which group this problem
> > belongs
> > in....
> >
> > Yesterday, XP pro (for a reason I can't figure out yet) added a new
> > certificate for EFS for my userid. As a result, files encrypted AFTER
> > that
> > period of time can be decrypted w/o problem. However, none of my old
> > files
> > can not. "access denied" is the message I get.
> >
> > When I view "properties" of an older file and click on "advanced," and
> > then
> > "details," I see the thumbprint of the user who can transparently access
> > the
> > file. However, when I try to add or remove/add the new new thumbprint
> > (ie.,
> > to "share access"), I get error code 5.
> >
> > Error code 5 (says MS KB article 308991) occurs when the person
attempting
> > to share access is neither an administrator nor the person who
originally
> > encrypted the file. Well, my account is both in the administrator group
> > AND
> > is the account that encrypted the file.
> >
> > In addition, and I don't know if this is relevant, but when I select
"add"
> > under the "Encryption Details" pane, a "Select User" pane opens up with
> > both
> > my certificates listed. However, both certificates, when opened up have
a
> > red "X" on the icon with the text: "This CA root certificate is not
> > trusted. To enable trust, install this certificate in the trustee rood
> > certification authorities store." Is this related to my problem or is
> > this
> > a domain only thing?
> >
> > My bottom line: I am looking for any ideas on how to add transparent
> > access
> > so I can decrypt the files and get them OUT of EFS.
> >
> > Would using "system restore" work, stepping back to the
> > day-before-yesterday?
> >
> > After this, beliefe me, I intend to "forgeddaboutit" as far as EFS is
> > concerned. What a pain!
> >
> > Thanks in advance....
> >
> > Regards,
> > Jim
> >
> >
>
>

Relevant Pages

  • Re: Recovery Agent configured in GPO, but cannot see it in Encrypt
    ... details as that rsop.msc shows the computer displays the RA, the certificates ... EFS enabled, ... Group Policy settings can be forced to refresh ... because of domain Group Policy configuration you may have a problem with DNS ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Win XP File Excryption - corrupt user account
    ... is the administrator's account that was the file recovery account. ... recreate the accounts new certificates were generated. ... Best practices for the Encrypting File System ... in Windows Server 2003, in Windows 2000, and in Windows XP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Another EFS riddle
    ... > If you log in with a non-admin account and change the ... Doing this will not bread EFS access. ... > Certificates snap-in displayed storage. ... > Microsoft MVP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Another EFS riddle
    ... Same account, same machine, EFS encrypted files ... EFS cert/key still shows in Certificates admin tool ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Credential Roaming + EFS - how to cleanup user certificates ?
    ... Reason being that 25 certificates existed for that user which was too much ... we found that almost all users have multiple EFS ... Credential roaming is enabled and EFS is used for Offline files for all ... We are wondering if the EFS certificate template settings are correct. ...
    (microsoft.public.security)