Cannot Decrypt Files

[CJ]

Archived from groups: microsoft.public.win2000.security (More info?)

My tech group and I are rebuilding one of our site's servers. We've run into
a bit of a snag, though, in backing up user folders and information in that
some files and folders have been encrypted and will not copy to a remote
location. We are in the server as the domain admin which is a designated
data recovery agent, necessary to decrypt EFS files and folders. We ran
cipher with the following:

cipher /d /s:d:\ /a

And still we were unable to decrypt the files. Each time, it ran for every
file and folder on the system, but when it came to the encrypted files, we
received the error "Access is denied."

We are banging our heads against a wall this evening... we did NOT expect
this situation. Any help would be appreciated. TIA!

 

[CJ]

Archived from groups: microsoft.public.win2000.security (More info?)

I would like to add that we used the efsinfo tool and found the users that
encrypted the files and the certificate thumbprint numbers, but... it also
says that it doesn't know which users can decrypt these files. And like I
said, we've tried as domain admins. The users are no longer here and we are
unsure where the particular system they used is not located (it's been
several months since this user was terminated and the computers have all been
moved around since then). What are our options?

"CJ" wrote:

> My tech group and I are rebuilding one of our site's servers. We've run into
> a bit of a snag, though, in backing up user folders and information in that
> some files and folders have been encrypted and will not copy to a remote
> location. We are in the server as the domain admin which is a designated
> data recovery agent, necessary to decrypt EFS files and folders. We ran
> cipher with the following:
>
> cipher /d /s:d:\ /a
>
> And still we were unable to decrypt the files. Each time, it ran for every
> file and folder on the system, but when it came to the encrypted files, we
> received the error "Access is denied."
>
> We are banging our heads against a wall this evening... we did NOT expect
> this situation. Any help would be appreciated. TIA!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You can use ntbackup to backup and retire EFS files to another location. A
regular copy will not work. Then you have to make sure that the Recovery
Agents certificate/private key are on the computer where the recovery is to
take place. It is not good enough to just logon as a domain administrator.
Not every domain administrator is a Recovery Agent - just the user specified
in the RA policy which in many cases is the built in administrator account
for the domain and that certificate/private key probably is on the first
domain controller installed for the domain which often is the pdc fsmo.

If you want to import the Recovery Agent certificate/private key to another
computer it must first be exported to a password protected .pfx file from a
computer where it exists or imported from a backup of the .pfx file after
the Recovery Agent user account logs onto the computer. The links below may
help. You can disable EFS domain wide or for a group of computers at the OU
level if you do not want domain computers to use EFS. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://support.microsoft.com/default.aspx?scid=kb;en-us;241201
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/encrypt_recovery_overview.htm

"CJ" <CJ@discussions.microsoft.com> wrote in message
news:C22CBCBA-67FA-4E27-8438-AD61DD4E0D04@microsoft.com...
>I would like to add that we used the efsinfo tool and found the users that
> encrypted the files and the certificate thumbprint numbers, but... it also
> says that it doesn't know which users can decrypt these files. And like I
> said, we've tried as domain admins. The users are no longer here and we
> are
> unsure where the particular system they used is not located (it's been
> several months since this user was terminated and the computers have all
> been
> moved around since then). What are our options?
>
> "CJ" wrote:
>
>> My tech group and I are rebuilding one of our site's servers. We've run
>> into
>> a bit of a snag, though, in backing up user folders and information in
>> that
>> some files and folders have been encrypted and will not copy to a remote
>> location. We are in the server as the domain admin which is a designated
>> data recovery agent, necessary to decrypt EFS files and folders. We ran
>> cipher with the following:
>>
>> cipher /d /s:d:\ /a
>>
>> And still we were unable to decrypt the files. Each time, it ran for
>> every
>> file and folder on the system, but when it came to the encrypted files,
>> we
>> received the error "Access is denied."
>>
>> We are banging our heads against a wall this evening... we did NOT expect
>> this situation. Any help would be appreciated. TIA!

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Also, I notice it has been said that Domain Admin accounts
have been tried, and at least the one of the first post is said
to be DRA. But notice, by default Domain Admin accounts
are not DRA, the initial Administrator account is. So, if the
other have been so designated, in order to use them as DRA
one must import the DRA cert/key, which may have not been
done.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"CJ" <CJ@discussions.microsoft.com> wrote in message
news:C22CBCBA-67FA-4E27-8438-AD61DD4E0D04@microsoft.com...
> I would like to add that we used the efsinfo tool and found the users that
> encrypted the files and the certificate thumbprint numbers, but... it also
> says that it doesn't know which users can decrypt these files. And like I
> said, we've tried as domain admins. The users are no longer here and we
are
> unsure where the particular system they used is not located (it's been
> several months since this user was terminated and the computers have all
been
> moved around since then). What are our options?
>
> "CJ" wrote:
>
> > My tech group and I are rebuilding one of our site's servers. We've run
into
> > a bit of a snag, though, in backing up user folders and information in
that
> > some files and folders have been encrypted and will not copy to a remote
> > location. We are in the server as the domain admin which is a
designated
> > data recovery agent, necessary to decrypt EFS files and folders. We ran
> > cipher with the following:
> >
> > cipher /d /s:d:\ /a
> >
> > And still we were unable to decrypt the files. Each time, it ran for
every
> > file and folder on the system, but when it came to the encrypted files,
we
> > received the error "Access is denied."
> >
> > We are banging our heads against a wall this evening... we did NOT
expect
> > this situation. Any help would be appreciated. TIA!