Re: No access to encrypted files after Password change

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 01/25/03 

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Sat, 25 Jan 2003 09:36:38 -0700

"Howard" <hheller@cfl.rr.com> wrote in message
news:0a7301c2c48c$cd5c9ee0$d5f82ecf@TK2MSFTNGXA12...
> I have certain folders that are encrypted. When I
> changed my password, I lost access to my files.

Yes. That is expected when the pwd is reset rather than changed.
You will find this documented, and also find the password recovery
disk capability provided as a safety net.

> Also,
> scheduled tasks that used to work would not run because
> the password changed.

Expected behavior.

> I changed my password back to what
> it used to be and everything was fine.

Yep.

>I assume that if
> I decrypt all the folders, and then change my password
> and re-encrypt the folders, all should be OK.
>

Well, one could do that but instead just change the
password rather than resetting it.
Change requires that you be logged in as the account
and that you use the change pwd link available to any
account. Reset can only be done by admin accounts
(which also have a change option for their own account).
Reset does not require knowledge of the old pwd and
does not retain access to EFS encrypted files as the
ability for the account to access the needed key storage
is broken. I thought there was always a warning when
one uses pwd reset.

>My
> question is, what is the recommended way of handling
> encrypted files?

A recommendation:

Export your EFS cert and key, and save it securely off the system.
Make and use password recovery disk.
Do the above for each account.
Define a DRA.
Export the DRA's EFS cert and key, and remove the key from the
system. Store this and the DRA's password recovery disk safely.

> Microsoft says that once you encrypt
> them, everything is "transparent".

It functions transparently.

> Obviously, if I have
> to go through what I just described, it is not
> very "transparent".

The precautions are documented. One needs to
seek out and read these. MS erred in believing
everyone will do that. Most do/will not. The way
one gets warned to "do the right thing" is being
changed.

> Any suggestions?

As about initially but read the docs

Relevant Pages

  • Re: No access to encrypted files after Password change
    ... That is expected when the pwd is reset rather than ... >Change requires that you be logged in as the account ... >> Microsoft says that once you encrypt ...
    (microsoft.public.windowsxp.security_admin)
  • Re: News Server Wont Connect After Windows Update
    ... To Reset each newsgroup, right-click on the group in Folders pane> ... Resetting the server would involve deleting the Corel account, closing OE and then configuring the account anew. ... Disable Background Compacting and frequently perform a manual compact of all OE folders while "working offline". ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Forgot Sys Admin Password
    ... 'How can I gain access to a Windows NT/2000/XP/2003 computer if I forgot the administrator's password? ... How can I reset the administrator's password if I forgot it?' ... Is there any way i can get into my account without formatting the ... HDD or erasing any of my folders? ...
    (microsoft.public.windowsxp.general)
  • Re: About email accounts, email folders and backups via activesync on WM6.1
    ... I am totally new to pocketpc's and activesync and I did some reading ... I managed to sync outlook from the laptop to the ... So I assume I have to set up an email account to be able ... outbox, trash, and all other folders that can only be synced with my ...
    (microsoft.public.pocketpc)
  • Re: PC folder has stopped sharing over network!
    ... So following Jim's principle I've just tried creating a new user account on the PC - "Kids2", and enabled sharing on its component folders. ... There is a security tab that lists the access permissions and you can add to these to "open" the account in any way you wish. ... I've just been in to the security tab, and the access permissions for both kids and administrator are set to "Full Control". ... I browsed around all the tabs, and can't see any differences at all between the settings for kids and administrator. ...
    (uk.comp.misc)