Archived from groups: microsoft.public.win2000.security (
More info?)
I seem to have all profiles. I didn't reinstall anything. I just demoted
myt PDC to a member server and then joined my new domain.
I'll look into your suggestions and links. I only have 1 file small file
needing decryption.
regards,
doug
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:#snqOEVZFHA.3364@TK2MSFTNGP09.phx.gbl...
> EFS has a way of biting people when it comes to accessing their own files.
> The EFS "private" key that is used to decrypt files is stored in the user
> profile of the user account that encrypted the file and the Recovery Agent
> profile that was in effect at the time that the files were encrypted/
> Windows 2000 requires a Recovery Agent which can be the built in local
> administrator account for the local computer or the built in administrator
> account for the domain. For a domain the built in administrator account
EFS
> recovery certificate would probably be on the first domain controller for
> the domain.
>
> I am not sure exactly all what you reconfigured but that may help give you
> somewhere to look. You can use the tool efsinfo to find the user and RA's
> that can decrypt a file and the thumbprint info for the certificates that
> will be helpful in tracking them down if they exist. The mmc snapin for
> certificates for user can be used to view the certificates on a computer
for
> a user in the personal/certificates folder. The EFS or Recovery Agent
> certificate needs to show that "you have the private key that corresponds
> with this certificate" on the general page of the certificate in order to
be
> able to decrypt the EFS certificate. If you find a Recovery Agent you can
> either back/restore the EFS files to the computer where the RA lives or
> export the RA certificate AND private key to a password protected .pfx
file
> to import to the computer where the EFS files are.
>
> Normally users have problems when the reinstall the operating system as
> profiles can be erased or associated with the wrong computer operating
> system ID. If you have a backup of the users profiles that encrypted the
> files you probably still have a copy of the EFS private key though it can
> not be restored via normal means. If that is the case and you know the
user
> password then you may be able to recover the EFS files with the help of
> Microsoft support [around $245] or the use of a program such as the one
from
> Elcomsoft that sells for $99. Elcomsoft does have a free trial download
that
> you can use but it will only recover very small files, but it should let
you
> know if the private keys are found or not. The first link below is to
> Elcomsoft and the other two may provide info to lead you to a
olution. ---
> Steve
>
>
http://www.elcomsoft.com/aefsdr.html
>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223316 --- EFS
> best practices.
>
ttp://support.microsoft.com/default.aspx?scid=kb;en-us;259732&sd=tech ---
> info on Recovery Agent
>
> "douglas martin" <dsmrtn-supt@pacbell.net> wrote in message
> news:Oj7VQLTZFHA.4088@TK2MSFTNGP15.phx.gbl...
> > I'm guessing I'm "sol" here but I just have to ask.
> >
> > A long while back I selected a folder to encrypt using the checkbox on
the
> > folders properties box in the advanced form. It worked just fine. I
> > never
> > did do anything about creating any certificates or agents or anything as
> > backup. I'm just an applications guy who needs a lan setup to do what I
> > do,
> > so I learned enough AD, DNS, Exchange and so forth to make it all more
or
> > less work. I do backups fairly well, and my systyem seems safe enough.
> >
> > Recently I upgraded my W2K PDC to be a W2K3 SBS PDC. I ran DCPROMO a
> > little
> > prematurely (on hind sight), and I neglected to remove the encryption
> > settings on this folder. This server is now just a member server in my
> > new
> > LAN with a new PDC.
> >
> > My files and such are all still there. And I can get to all of them,
just
> > can't access the encrypted ones.
> >
> > Is there an administractive "backdoor" that will gain me access?
> >
> > regards,
> >
> > doug
> >
> >
>
>