Re: File Encryption Help Needed

From: Robert Gu [MS] (robertg@online.microsoft.com)
Date: 09/20/02 

From: "Robert Gu [MS]" <robertg@online.microsoft.com>
Date: Fri, 20 Sep 2002 10:37:23 -0700

The machine's previous domain has no AD, which means NT4 server, right? If
that is the case, the XP client would have no recovery agent. You can check
this with EFSINFO /r /c. Or you can look at the file in
Property->Advanced->Details.

If you have no recovery agent and no keys exported earlier, the only way to
get back your files are logon as the old account assuming that DC is still
alive. 

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Robert Gu [MS Security Developer]
"Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
news:edJt9oHYCHA.1912@tkmsftngp09...
> Let us be sure this is about encryption, not just files being
> made private (with NTFS permissions).
> If encrypted, the only way to decrypt is with the account
> that did the encrypting (or a recovery agent, but you say
> you did not have one defined).
> Normally, in a domain environment some protection is
> offered from the domain level.  But you say they just did
> an upgrade to W2k, so that must mean the old account was
> in an NT4 domain, and that offers no help for decryption
> as NT4 predates EFS.
>
> If you can get the machine rejoined to the old domain so
> that you can log in with the old domain account then you
> should be able to get at the encrypted files.
>
> --
> Roger Abell
> MS MVP (Security, Windows), MCDBA,  MCSE both
> Associate Expert - Windows XP ExpertZone
> http://www.microsoft.com/windowsxp/expertzone
>
> "Luke Ribich" <lukeribich@hotmail.com> wrote in message
> news:3d7101c26053$a51abc20$3bef2ecf@TKMSFTNGXA10...
> > Hey Everybody,
> >
> > OK, Check this out.  I encrypted to MY documents folder
> > on my WinXP Pro Laptop.  My work recently changed my
> > doman to an active directory so I had to set up a new use
> > account for that domain on my laptop.  I migrated all my
> > files seetings etc. over to the new user account;
> > however, none - and I mean none - of my previously
> > encripted files are accessable.  I have tried to undo the
> > process and either I am missing something or the process
> > dosn't work.
> >
> > I did not have a Decryption user identified and I think I
> > am up a creek.  If there is anyone who can tell me what
> > to do or where I need to go to get my files decrypted
> > please let me know.  I think my career depends on it!
> >
> > Kind regards,
> >
> > Luke
>
>

Relevant Pages

  • Re: EFS, certificates etc
    ... created a certificate ... >for the Admin account, which I have designated as the ... >data recovery agent cannot. ... >>> encryption. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Can no longer encrypt files
    ... It is saying the certificate for the "Recovery Agent" is invalid, ... > the actual account doing the Encryption. ... > Win2k, the designated recovery agent was the default "Domain Admin", WinXP ... This was working fine until the account password expired and was ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Can no longer encrypt files
    ... the actual account doing the Encryption. ... Win2k, the designated recovery agent was the default "Domain Admin", WinXP ... This was working fine until the account password expired and was ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Decrypting, Accessing an Encrypted file
    ... Adding a recovery agent will not help you to decrypt files ... You need to determine what account encrypted the files, ... > has the 'intended purpose' field value of 'encryption file system'. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: X.509 and ssh
    ... encryption which may be illegal in some jurisdictions, ... supposedly hiding an account number. ... authorty industry embellishing the role of digital certificate as the ... the issue with LDAP isn't so much that real-time, ...
    (comp.security.ssh)