Re: EFS recovery problem

From: Roger Abell [MVP] (mvpNOSPAM_at_asu.edu)
Date: 05/01/03 

Date: Thu, 1 May 2003 07:30:41 -0700

I am not sure at which point your EFS access was broken,
but here are some observations.

A recovery agent will only be of use if it was set up before
the files were encrypted or last touched. Doing this after
the fact will not assist in your current dilemma. You use
the commandline cipher utility to generate the needed
cert/key for the recovery agent. It is all in here
 http://microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery

Since your account is now set with the same password as before,
and since changing the group memberships of an account should
have not impact on the operation of EFS, we need to figure out
what has happened to your account.
There is a tool, efsinfo.exe, that you can use to see what thumbprint
is associated with the encrypted files, and the account's current
certificate. You can get this by installing the Support Tools from
the similarly named directory of the Windows XP CD.
You should also use the Certificates mmc console to look at the
private certificates for EFS of the account in question - particularly
checking to see if there is more than one. 

-- 
Roger 
<thiessendg@yahoo.com> wrote in message news:eddfcb6f.0305010521.2cb4751d@posting.google.com...
> All,
> 
> Please note that I have read the FAQ...
> 
> Here is my problem, I have a Power User Account.  I changed that
> account to an Administrator.  When I logged in, it forced me to change
> the password.  I simply changed it to its current password.  I did my
> thing, logged off, logged in to default admin, changed account back to
> PU acct. Log out of Admin, log in to PU acct. and now I cannot access
> EFS files.
> 
> After reading/research, I log on to account and use control panel to
> change my password, change it to the password.  Still no access to EFS
> files.
> 
> Hmmm.  Log on to admin, restore files from backup, still no acccess.
> 
> Hmmm.  Use MMC and try to make sure that default admin is recovery
> agent and he is not, no one is.  So i try to add Admin acct as
> Recovery agent, but, there is no *.cer file on local machine.
> 
> Any suggestions?
> 
> My understnading was, since the password changed, that is what screwed
> up the EFS.  But, according the KB article, logging in as user and
> changeing password with control panel, I should have access to my EFS
> files back.
> 
> I have a sinking feeling, but appreciate any suggestions...
> 
> Dave

Relevant Pages

  • Re: Co-Administrator
    ... All the admin needs is one of the ... necessary steps are the designation of a data recovery agent with the EFS ... certificate/key of the administrator account. ... The EFS encrypted files are no longer readable by the Administrator or data ...
    (microsoft.public.windows.server.sbs)
  • Re: EFS access
    ... other account cannot open or copy the EFS files to a different ... Is there a way to use EFS to block even the ... opening of an EFS protected folder from another admin account? ... NTFS permissions, however, can. ...
    (microsoft.public.windowsxp.security_admin)
  • EFS recovery problem
    ... I have a Power User Account. ... Log out of Admin, ... Still no access to EFS ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS recovery problem
    ... > groups *should* _not_ effect efs. ... >>A recovery agent will only be of use if it was set up before ... >>and since changing the group memberships of an account should ... Log out of Admin, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Disabling
    ... > I had to reinstall XP on a computer and so I copied my EFS ... Each time you create a user account, a new SID gets ... instances of Windows NT/2000/XP. ... in your profile directory. ...
    (microsoft.public.security)