Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows VistaWindows XPWindows MeWindows 98Windows 95Virtual PCInternet ExplorerOutlook ExpressWindows MediaSecurity
Related Topics
MS Server ProductsMS OfficePC HardwareMore Topics ...
Windows Forum / Windows XP / Security and Administration / April 2005

Tip: Looking for answers? Try searching our database.

EFS Issue

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Mouse4440 - 28 Apr 2005 00:33 GMT
Recently I used RIS (Remote Installation Service) to reinstall a
clients workstation because it had been upgraded and had different
versions of Office installed and just generally had issues, but what I
didn’t know is that the user had Encrypted files on another drive (USB
External Hard Drive) so after I reinstalled the OS the Computer
account is not the same as before and he can no longer access the
files that were on the other drive.  I have tried several of the free
downloadable recovery packages Advanced EFS recovery and others but
have had no luck, the recovery agent displays that no user is able to
decrypt the files and the user account has not changed because the
user is in a domain. I have tried logging in as local admin, domain
admin, but still no luck.  anyone know of anything I can do.  and no
the user didn’t export the keys.

Signature

Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Admin-EFS-Issue-ftopict365344.html
Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=1177687

Reply to this Message
Jupiter Jones  [MVP] - 28 Apr 2005 05:54 GMT
Was there a Designated Recovery Agent on the domain?
If not, the data is most likely gone for good.

See the bottom of this page for ways to help prevent data loss with EFS in
the future:
http://www3.telus.net/dandemar/encrypt.htm

Signature

Jupiter Jones  [MVP]
http://www3.telus.net/dandemar
In memory of our dear friend, MVP Alex Nichol
http://www.dts-l.org

> Recently I used RIS (Remote Installation Service) to reinstall a
> clients workstation because it had been upgraded and had different
[quoted text clipped - 9 lines]
> admin, but still no luck.  anyone know of anything I can do.  and no
> the user didn't export the keys.
Reply to this Message
Mouse4440 - 29 Apr 2005 15:31 GMT
"Jupiter Jones  MVP" wrote:
> Was there a Designated Recovery Agent on the domain?
> If not, the data is most likely gone for good.
[quoted text clipped - 36 lines]
> abuse:
> > http://www.windowsforumz.com/eform.php?p=1177687

I’m not sure, I logged in as admin on the local machine and as the
domain admin and the windows recovery thing display no recovery agent
present.  is this something that user had to setup or is an automatic
thing?
Reply to this Message
Kerry Brown - 29 Apr 2005 15:52 GMT
> "Jupiter Jones  MVP" wrote:
> > Was there a Designated Recovery Agent on the domain?
[quoted text clipped - 42 lines]
> present.  is this something that user had to setup or is an automatic
> thing?

With XP you have to setup the recovery agent. Win2k worked differently. If
he was logged on locally when he encrypted the files you are probably out of
luck. If he was logged on as a domain user you will have to figure out if
there is a recovery agent and who it is. Export the recovery key and import
it on the machine with the files on it. You may also have to take ownership
of the files on the USB drive first.

http://support.microsoft.com/default.aspx?scid=kb;en-us;887414

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Def
ault.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_lnfx.
asp

Kerry
Reply to this Message
Mouse4440 - 29 Apr 2005 17:24 GMT
"kerry15" wrote:
> > "Jupiter Jones  MVP" wrote:
>  > > Was there a Designated Recovery Agent on the domain?
[quoted text clipped - 97 lines]
>
> Kerry

He was a domain user but the key was on the system partition and the
data is on another drive, the system partition that had the keys was
deleted with the install of Win XP.  I logged in as the user and the
recovery agent displays no recovery agent present, likewise for the
local admin and domain admin. I have not taken ownership though.
would I need to do that for the recovery agent.
Reply to this Message
Kerry Brown - 29 Apr 2005 17:40 GMT
> "kerry15" wrote:
> > > "Jupiter Jones  MVP" wrote:
[quoted text clipped - 105 lines]
> local admin and domain admin. I have not taken ownership though.
> would I need to do that for the recovery agent.

You have to figure out who the DRA is (see my previous links), export their
private certificate and key, then import the certificate and key on the
computer that you are using to decrypt the files. It is common practice to
only use certain secure computers for EFS recovery so that the key cannot be
taken away and data unencrypted off site. If this is the case you would have
to have the files on the recovery computer. You may or may not have to take
ownership first but it wouldn't hurt to do so. EFS can be very tricky. From
what you have described his data is probably gone. You should investigate
the links in my last post and either restrict users from using EFS via group
policy or setup a DRA and store the certificate and key in a safe place. If
you don't this may cause you grief again in the future.

Kerry
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.