Re: Encrypted Files
From: Robert Gu [MS] (robertg@online.microsoft.com)
Date: 09/16/02
- Next message: Chad Graves: "Username Locked out Contact Administrator"
- Previous message: Allan C: "Restrict Limited users from Adding Software"
- In reply to: Dan W: "Re: Encrypted Files"
- Next in thread: Torgeir Bakken: "Re: Encrypted Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Robert Gu [MS]" <robertg@online.microsoft.com> Date: Mon, 16 Sep 2002 13:50:59 -0700
Is you account a local account? If yes, there is a bug in DPAPI in XP. If
you changed the password when the password expired and in the prompt during
logon, your DPAPI keys could be hosed. There is a QFE for that. It was also
fixed in XP SP1.
If you changed the password by reset (not the normal change password
dialog), you will lose the DPAPI key by design for standalone machine.
If the machine is a domain memeber and the user account is also a domain
member, the DC is Win2K+, you should not lose access by password changing.
Whatever happened, if you have exported your certificate+keys like I said
below, you can always get back the access.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Robert Gu [MS Security Developer] "Dan W" <dawoodward@software.rockwell.com> wrote in message news:013701c25db8$edcff630$2ae2c90a@phx.gbl... > What if you are the user who encrypted the files, you > haven't reinstalled the OS, and you're still told that > you don't have rights? > > My problem is somewhat different, but I cannot access the > encrypted files I encrypted myself. It appears to be me > in the details as to who did the encryption. > > The only thing I can think of is that I changed my > password recently according to company policy. > > Also note, I tried the cipher /u and recieve access is > denied for every item. > > Dan > > > >-----Original Message----- > >The following is a post I made a couple of days ago. You > can find your > >answer in it. > > > >To update the meta data (EFS certificates and recovery > certificates on the > >files), all you need is OPEN and CLOSE the file. A CMD > tool CIPHER can help > >you on this. > > > >START RUN->CMD > > > >You get a CMD window. In that window, type "cipher /u" > and RETURN. It will > >update all the EFS files on your local > drives. "CIPHER /U /N" will just show > >you all the EFS files you have locally on your computer. > > > >To see what certificate is used on the files, use > >explorer->Properties->Advanced->Detail in XP, it will > show you the > >certificate thumbnail, which is used to encrypt the file > you bought up the > >property page. > > > >If only one user uses EFS on the computer, there is no > reason to set up > >recovery policy. You would better export the certificate > and its private key > >into a PFX file. You don't need to understand recovery > policy if only one > >user is involved. That is why we removed the default > recovery policy in XP > >for standalone computer. You can use MMC certificate > page to export the > >certificate and the key. To see how to do this, you can > use online help. > >Search EFS. > > > >Make sure you export the right certificate in your > personal store using the > >thumbnail shown in the Detail page above. You can also > get a CMD tool > >EFSINFO.EXE from RESKIT. > > > >efsinfo /u /r /c FILEPATH will display the certificates > used to encrypt the > >files. > > > >efsinfo /y will display your current EFS certificate. > (another way to know > >what your EFS certificate is.) > > > >For the people who want to know if the recovery policy > is set right, the > >above command line (efsinfo /u /r /c) will show the > recovery agent > >certificate. The above DETAIL page will also show the > reocvery agent > >certificate. If the recovery certificate is what you > have set, you are on > >the right track. > > > >To get a recovery cert, you can use "cipher /r" > > > >There will be a better way to do EFS certificate backup > in the coming > >Windows .NET server build. Both CMD (cipher /x ) and in > the DETAIL page. > > > >More key back features will be availalbe in the future > builds. > > > > > > > >-- > >This posting is provided "AS IS" with no warranties, and > confers no rights. > > > >Robert Gu [MS Security Developer] > >"Mike" <mchjr01@hotmail.com> wrote in message > >news:000701c25dab$f6207bf0$37ef2ecf@TKMSFTNGXA13... > >> I reformatted my C drive and reinstalled XP Pro. All my > >> data files are on a different partition of my HD so I > >> don't need to back them up. However, I forgot to > decrypt > >> my files and now I get an access denied message when I > >> try to open the files. I did some research on how to > >> correct the problem and the only way is to be a > recovery > >> agent. > >> > >> I am not on a network and I use this computer at home. > Is > >> there an easier way to correct this problem without > going > >> through the hassle of becoming a recovery agent? > >> > >> Thanks for the help. > >> > >> Mike > > > > > >. > >
- Next message: Chad Graves: "Username Locked out Contact Administrator"
- Previous message: Allan C: "Restrict Limited users from Adding Software"
- In reply to: Dan W: "Re: Encrypted Files"
- Next in thread: Torgeir Bakken: "Re: Encrypted Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
