Re: EFS Recover Agents Unable to decrypt files
From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 05/24/04
- Next message: Brendon Rogers: "Re: DFS Mapping Issue"
- Previous message: AjayK: "Re: Missing Space on Hard Drive - Drive shows only 70% of Actual Space"
- In reply to: Fuente: "EFS Recover Agents Unable to decrypt files"
- Next in thread: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Reply: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 24 May 2004 14:55:43 -0700
Here are a few possibilities:
- You don't have the right file permissions. You probably already checked
this yourself, but it's still worth mentioning.
- The RA's certificate and private key aren't on the machine where you're
trying to decrypt.
- The files were encrypted on XP or 2003 and you're trying to decrypt them
on Win2k, which doesn't understand the newer crypto algorithms.
"Unknown" is displayed because of a bug in the old version of efsinfo - it's
trying to display information that isn't there. It's nothing to worry
about.
-- Drew Cooper [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Fuente" <partagas@insightbb.com> wrote in message news:cUXqc.3248$Vv.275836@attbi_s51... > Background: > Internal Certificate Service running in a 3 tier hierarchy. Enterprise CA, > Subordinate CA, Exchange CA > Default Domain administrator and additional domain administrator have > requested and received EFS Recovery certificates and have been setup on the > default domain policy of Security Settings | Public Key Policies | Encrypted > Data Recovery Agents > > Created a test file on a workstation by a test account with Domain User > rights. Encrypted the file successfully. In order to test the ability of the > Recovery Agents I performed the process described in "Encrypting File System > for Windows 2000" white paper but this does not work. From the Windows > Explorer I get message stating ""Access is Denied" Error Message When > Encrypting or Decrypting Files or Folders". I also tried going to the users > home directory with one of the accounts and attempted to decrypt the file > and this didn't work either. > > TechNet Article 264064 seemed to address the issue but after applying the > solution, the problem was not resolved. (As a matter of fact, all the > "System Volume" Folders I inspected on my domain controllers has the System > account listed but none of the permission were checked except in one place > where full was checked on the boot partition of on domain controller.) > > When I use the Efsinfo.exe utility the following results are displayed on > the file in question:( I have changed the domain name and accounts from to > generic names for privacy. The "Bob.Train" account is a test account. > > NOC List.txt: Encrypted > Users who can decrypt: > My DOMAIN\Bob.Train (CN=Bob Train) > Recovery Agents: > Unknown (CN=Domain Administrator) > Unknown (CN=Default Domain Administrator) > > I am concerned about the "Unknown" entries and am wondering if this is the > root of the problem. It doesn't appear that the Recovery Accounts are > getting the permission necessary to perform the function. > > I want to make sure that I have the ability to recover encrypted files > before implementing this across the board. I have search many articles in > this forum on the subject as well as Microsoft and have yet to find a > solution. I would like any insight anyone would have in solving this. > >
- Next message: Brendon Rogers: "Re: DFS Mapping Issue"
- Previous message: AjayK: "Re: Missing Space on Hard Drive - Drive shows only 70% of Actual Space"
- In reply to: Fuente: "EFS Recover Agents Unable to decrypt files"
- Next in thread: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Reply: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
