Guest jwgoerlich@gmail.com Posted July 13, 2007 Posted July 13, 2007 I am working with a single Windows Server 2003 computer. It is not part of an Active Directory domain. EFS is enabled and a couple users are encrypting their files. Full backups with system state are performed regularly using the default Windows Backup utility. About a week ago, a user forgot their password. The administrator reset it and, thus, locked them out of their EFS encrypted files. All attempts by the user and the administrator to open the files results in the "Access is denied" dialog box. My job is to find a way for the user to open them. I did restore system state and the encrypted files from a backup made a couple weeks before. The user, whose memory has returned, logged in with their last password. They still cannot decrypt the files, however. What do I need to restore in order to for this user to decrypt their files? J Wolfgang Goerlich Quote
Guest C J. Posted July 13, 2007 Posted July 13, 2007 My two cents... People who encrypt files should learn how to export their personal encryption key and keep it in a safe place, off the system - just for the reasons you've outlined alone below. IIRC - if he had his personal EFS key he could put the key back into trusted certificates, take owership of the files, and be able to decrypt them. jwgoerlich@gmail.com wrote: > I am working with a single Windows Server 2003 computer. It is not > part of an Active Directory domain. EFS is enabled and a couple users > are encrypting their files. Full backups with system state are > performed regularly using the default Windows Backup utility. > > About a week ago, a user forgot their password. The administrator > reset it and, thus, locked them out of their EFS encrypted files. All > attempts by the user and the administrator to open the files results > in the "Access is denied" dialog box. > > My job is to find a way for the user to open them. I did restore > system state and the encrypted files from a backup made a couple weeks > before. The user, whose memory has returned, logged in with their last > password. They still cannot decrypt the files, however. > > What do I need to restore in order to for this user to decrypt their > files? > > J Wolfgang Goerlich Quote
Guest Roger Abell [MVP] Posted July 13, 2007 Posted July 13, 2007 Hi Wolfgang, That they could not gain access after the restore (did you restore their profile and system state and the encrypted files or just system state and the encrypted files ?) at first seemed surprising to me. When you restored system state it reverted their account to their old password, but DPAPI would still be set to use the new password as their profile had been touched after the password was forgotten and reset. So perhaps restoring their profile is needed so that they can get at the stored key via the (system state) restored account pwd. At least that is my thinking. Including restore of the EFS encrypted files was a good idea as they may have been altered in the attempts but probably not. Roger <jwgoerlich@gmail.com> wrote in message news:1184354201.953509.137960@57g2000hsv.googlegroups.com... >I am working with a single Windows Server 2003 computer. It is not > part of an Active Directory domain. EFS is enabled and a couple users > are encrypting their files. Full backups with system state are > performed regularly using the default Windows Backup utility. > > About a week ago, a user forgot their password. The administrator > reset it and, thus, locked them out of their EFS encrypted files. All > attempts by the user and the administrator to open the files results > in the "Access is denied" dialog box. > > My job is to find a way for the user to open them. I did restore > system state and the encrypted files from a backup made a couple weeks > before. The user, whose memory has returned, logged in with their last > password. They still cannot decrypt the files, however. > > What do I need to restore in order to for this user to decrypt their > files? > > J Wolfgang Goerlich > Quote
Guest Roger Abell [MVP] Posted July 13, 2007 Posted July 13, 2007 PS At least in XP, after remembering the password all one needs to do is reset (not set with new+old) the password back. <jwgoerlich@gmail.com> wrote in message news:1184354201.953509.137960@57g2000hsv.googlegroups.com... >I am working with a single Windows Server 2003 computer. It is not > part of an Active Directory domain. EFS is enabled and a couple users > are encrypting their files. Full backups with system state are > performed regularly using the default Windows Backup utility. > > About a week ago, a user forgot their password. The administrator > reset it and, thus, locked them out of their EFS encrypted files. All > attempts by the user and the administrator to open the files results > in the "Access is denied" dialog box. > > My job is to find a way for the user to open them. I did restore > system state and the encrypted files from a backup made a couple weeks > before. The user, whose memory has returned, logged in with their last > password. They still cannot decrypt the files, however. > > What do I need to restore in order to for this user to decrypt their > files? > > J Wolfgang Goerlich > Quote
Guest Ian Posted July 15, 2007 Posted July 15, 2007 If the machine is NOT a domain-member, then the local Administrator account should have a copy of the key. Try logging-on as Adminsitrator and see if you can access the files. If anyone is thinking of using EFS, then I would first of all ask them to consider if they have an actual need for it. Basically, if you're not with the CIA, KGB -Or NID, then... Quote
Guest Roger Abell [MVP] Posted July 15, 2007 Posted July 15, 2007 "Ian" <Ian@discussions.microsoft.com> wrote in message news:5BF37EB8-4D3D-4DFE-BE0C-50D4BEA59197@microsoft.com... > If the machine is NOT a domain-member, then the local Administrator > account > should have a copy of the key. Try logging-on as Adminsitrator and see if > you > can access the files. > > If anyone is thinking of using EFS, then I would first of all ask them to > consider if they have an actual need for it. Basically, if you're not > with > the CIA, KGB -Or NID, then... > Hi Ian, In a standalone the built-in Administrator, however renamed, does not have copies of the users' EFS keys. In Windows 2000 this account was by default configured to the the default recovery agent (DRA), and as such its EFS credentials were used when the file was encrypted in addition to use of the saving user's. Starting with Windows XP there is no automatically configured DRA, so one would exist on a standalone machine only if it had been manually configured. Roger Quote
Guest Kerry Brown Posted July 15, 2007 Posted July 15, 2007 You could try the following software. http://www.elcomsoft.com/aefsdr.html Download the trial. It will only decrypt the first part of a file but it is enough to know if it will work. If it does pay for the full version and decrypt the files. As the rest of the replies suggest you should read up on EFS before continuing it's use. -- Kerry Brown Microsoft MVP - Shell/User http://www.vistahelp.ca <jwgoerlich@gmail.com> wrote in message news:1184354201.953509.137960@57g2000hsv.googlegroups.com... >I am working with a single Windows Server 2003 computer. It is not > part of an Active Directory domain. EFS is enabled and a couple users > are encrypting their files. Full backups with system state are > performed regularly using the default Windows Backup utility. > > About a week ago, a user forgot their password. The administrator > reset it and, thus, locked them out of their EFS encrypted files. All > attempts by the user and the administrator to open the files results > in the "Access is denied" dialog box. > > My job is to find a way for the user to open them. I did restore > system state and the encrypted files from a backup made a couple weeks > before. The user, whose memory has returned, logged in with their last > password. They still cannot decrypt the files, however. > > What do I need to restore in order to for this user to decrypt their > files? > > J Wolfgang Goerlich > Quote
Guest jwgoerlich@gmail.com Posted July 18, 2007 Posted July 18, 2007 That's the ticket! I restored the user's profile and system state, then had the user change their password. The EFS-encrypted files were then accessible. I owe you one, Roger. Thank you very much, J Wolfgang Goerlich On Jul 13, 6:16 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote: > Hi Wolfgang, > > That they could not gain access after the restore (did you > restore their profile and system state and the encrypted files > or just system state and the encrypted files ?) at first seemed > surprising to me. > When you restored system state it reverted their account > to their old password, but DPAPI would still be set to > use the new password as their profile had been touched > after the password was forgotten and reset. So perhaps > restoring their profile is needed so that they can get at > the stored key via the (system state) restored account pwd. > At least that is my thinking. Including restore of the > EFS encrypted files was a good idea as they may have > been altered in the attempts but probably not. > > Roger > > <jwgoerl...@gmail.com> wrote in message > > news:1184354201.953509.137960@57g2000hsv.googlegroups.com... > > > > >I am working with a single Windows Server 2003 computer. It is not > > part of an Active Directory domain. EFS is enabled and a couple users > > are encrypting their files. Full backups with system state are > > performed regularly using the default Windows Backup utility. > > > About a week ago, a user forgot their password. The administrator > > reset it and, thus, locked them out of their EFS encrypted files. All > > attempts by the user and the administrator to open the files results > > in the "Access is denied" dialog box. > > > My job is to find a way for the user to open them. I did restore > > system state and the encrypted files from a backup made a couple weeks > > before. The user, whose memory has returned, logged in with their last > > password. They still cannot decrypt the files, however. > > > What do I need to restore in order to for this user to decrypt their > > files? > > > J Wolfgang Goerlich- Hide quoted text - > > - Show quoted text - Quote
Guest Roger Abell [MVP] Posted July 19, 2007 Posted July 19, 2007 <jwgoerlich@gmail.com> wrote in message news:1184787551.871572.4210@g12g2000prg.googlegroups.com... > That's the ticket! I restored the user's profile and system state, > then had the user change their password. The EFS-encrypted files were > then accessible. I owe you one, Roger. > > Thank you very much, > I am glad it worked. I am also not too sure as to why the profile no longer had the old cert/key available in an accessible way once the password was reset to the prior value however. Roger > On Jul 13, 6:16 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote: >> Hi Wolfgang, >> >> That they could not gain access after the restore (did you >> restore their profile and system state and the encrypted files >> or just system state and the encrypted files ?) at first seemed >> surprising to me. >> When you restored system state it reverted their account >> to their old password, but DPAPI would still be set to >> use the new password as their profile had been touched >> after the password was forgotten and reset. So perhaps >> restoring their profile is needed so that they can get at >> the stored key via the (system state) restored account pwd. >> At least that is my thinking. Including restore of the >> EFS encrypted files was a good idea as they may have >> been altered in the attempts but probably not. >> >> Roger >> >> <jwgoerl...@gmail.com> wrote in message >> >> news:1184354201.953509.137960@57g2000hsv.googlegroups.com... >> >> >> >> >I am working with a single Windows Server 2003 computer. It is not >> > part of an Active Directory domain. EFS is enabled and a couple users >> > are encrypting their files. Full backups with system state are >> > performed regularly using the default Windows Backup utility. >> >> > About a week ago, a user forgot their password. The administrator >> > reset it and, thus, locked them out of their EFS encrypted files. All >> > attempts by the user and the administrator to open the files results >> > in the "Access is denied" dialog box. >> >> > My job is to find a way for the user to open them. I did restore >> > system state and the encrypted files from a backup made a couple weeks >> > before. The user, whose memory has returned, logged in with their last >> > password. They still cannot decrypt the files, however. >> >> > What do I need to restore in order to for this user to decrypt their >> > files? >> >> > J Wolfgang Goerlich- Hide quoted text - >> >> - Show quoted text - > > Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.