RE: Reset of local user password deleted compressed folders

From: Jack Wang [MS] (jackwa@online.microsoft.com)
Date: 01/28/03 

From: jackwa@online.microsoft.com (Jack Wang [MS])
Date: Tue, 28 Jan 2003 03:29:10 GMT

Hi Ian,

After you reset the password of an account on a Windows XP-based computer
that is joined to a workgroup, you may lose access to the user's:

- Web page credentials.

- File share credentials.

- EFS-encrypted files.

- Certificates with private keys (SIGNED/ENCRYPTed e-mail).

You may refer to the following articles.

290260 EFS, Credentials, and Private Keys from Certificates Are Unavailable
http://support.microsoft.com/?id=290260

Also, I suggest you search the hard disk to confirm if the files are deleted. Then,
please store some unless documents in the My Documents folder and check if you
could reproduce the issue.

=============================================================
-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows XP Professional
 - Microsoft Windows XP Home Edition

-------------------------------------------------------------------------------

SYMPTOMS
========

After you reset the password of an account on a Windows XP-based computer
that is joined to a workgroup, you may lose access to the user's:

- Web page credentials.

- File share credentials.

- EFS-encrypted files.

- Certificates with private keys (SIGNED/ENCRYPTed e-mail).

CAUSE
=====

This issue can occur if the password was forcefully reset by an administrator or
owner, instead of being changed by the user.

RESOLUTION
==========

NOTE: For any of the following resolutions to work, the user's original account
must still exist, and the user's profile must be present and unchanged since the
user last had access to the data.

To recover all of the data, you must have one of the following:

- The original password. This is the password with which the user last
  logged on successfully and was able to access their credentials and
  files.

- Password Recovery Disk (PRD). This password recovery disk must have
  been created while the user had access to the files.

To Completely Recover By Using the Original Password
----------------------------------------------------

1. Log on to the computer as the user with the current password.

2. Click Start, and then click Control Panel.

3. In Control Panel, click "User Accounts".

4. Click your user name.

5. Click Change my password.

6. Follow the instructions to change the password back to your original
   password.

7. Restart your computer.

To Completely Recover By Using the Password Recovery Disk
---------------------------------------------------------

1. If you are logged on, log off of the computer.

2. Attempt to log on as the user, and deliberately type an incorrect
   password.

3. Click "use your password reset disk".

4. Follow the instructions in the wizard.

5. Log on, and note that you have access to your files.

Recovering Access to Encrypted EFS Data
---------------------------------------

If you have encrypted some of your files by using the Encrypting File System
(EFS), you have additional options to recover access to those encrypted files. The
following provisions apply only to EFS encrypted files, and will not recover access
to saved credentials or certificates.

If you have previously exported the user's EFS private key from the user's
account, you may import the key back into the account and recover access to the
encrypted files.

If you did not export the private key and you have defined a Data Recovery Agent
(DRA) prior to encrypting the files, you may regain access to EFS files as the Data
Recovery Agent.

For additional information about how to recover data in this case, click the article
number below

to view the article in the Microsoft Knowledge Base:

        KBLink:255742.KB.EN-US: Methods for Recovering Encrypted Data Files

If you do not have the required items or information specified for the preceding
recovery solutions, the data is permanently encrypted, and cannot be recovered.

STATUS
======

This behavior is by design.

MORE INFORMATION
================

The behavior that is described in this article is a security measure taken to protect
the security of the user's private information. A malicious administrator that can
reset a user's password and thereby gain access to the user's account cannot
access encrypted files or authentication materials without the user's knowledge or
permissions.

Before being allowed to reset a password, an administrator or owner of the
computer is prompted with the following messages:

        
        
        - Resetting this password might cause irreversible loss of information for
this user account. For security reasons, Windows protects certain information by
making it impossible to access if the users password is reset.
        
        
        The data loss will occur the next time the user logs off.
        
        
        You should use this command only if a user has forgotten his or her
password and does not have a password reset disk. If this user has created a
password reset disk, then he or she should use that disk to set the password.
        
        
        If the user knows the password and wants to change it, he or she should
log in, then use the User Accounts in Control Panel to change the password.
        
        - You are Resetting the password for <user name>. If you do this, <user
name> will lose all EFS-encrypted files, personal certificate, and stored passwords
for Web sites or network resources.
        
        
        To avoid losing data in the future, ask user2 to make a password reset
floppy disk.

To avoid data loss because of a password reset in the future, create a password
recovery disk to reset the password and have users change their own password
while logged in.

To create a password recovery disk:

1. Click Start, and then click Control Panel.

2. Click "User Accounts".

3. Click your user name.

4. Click "Prevent a forgotten password", and then follow the
   instructions in the wizard.

5. Store the disk in a safe location.

NOTE: The "Prevent a forgotten password" button and the password recovery disk
functionality are not available on computers that are joined to a domain.

EFS Related Information
-----------------------

        KBLink:241201.KB.EN-US: HOW TO: Back Up Your Encrypting File System
        Private Key in Windows 2000

        KBLink:242296.KB.EN-US: How to Restore an EFS Private Key for Encrypted
        Data Recovery

Have a nice day!

Sincerely,
Jack Wang
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|Reply-To: "Ian Finnimore" <finnimorei@ally.com>
|From: "Ian Finnimore" <finnimorei@ally.com>
|Subject: Reset of local user password deleted compressed folders
|Date: Mon, 27 Jan 2003 10:50:17 -0800
|Lines: 26
|Organization: Bally Gaming Systems
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
|Message-ID: <eR3oiTjxCHA.2660@TK2MSFTNGP09>
|Newsgroups: microsoft.public.windowsxp.security_admin
|NNTP-Posting-Host: www.ballysystems.com 207.228.15.74
|Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
|Xref: cpmsftngxa06 microsoft.public.windowsxp.security_admin:45211
|X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
|I have just experienced a catastrophic issue with changing a local user's
|password. I had two accounts on my machine, a Domain User Account and a
|Local User account. Both accounts shared a common "My Documents" folder,
|which was compressed but not encrypted.
|
|When I travel, I will typically use the domain user account logon with the
|cached information. However, I needed to log in as the local user. I had
|forgotten the password on the account and used the Domain user to reset the
|local user's password. The warning messages for the deletion of encrypted
|files, stored passwords, and encrypted E-mail did not worry me and I
|proceeded to reset the password.
|
|Upon logout of the domain user, and login with the local user, I found that
|the entire My Documents folder tree had been deleted. I immediately logged
|back in as the domain user and, yep, the My documents folder was gone there
|as well.
|
|This behavior was totally unexpected, and needless to say, catastrophic.
|Does anyone know if this really is the expected behavior and I just missed
|it in the documentation?
|
|Thanks
|
|Ian Finnimore
|
|
|