Re: EFS Recover Agents Unable to decrypt files
From: Fuente (partagas_at_insightbb.com)
Date: 05/25/04
- Next message: Atlas: "Re: Server - RAID 1 performance"
- Previous message: Rashmi.K.Y [MSFT]: "RE: Add/Remove - Time/Date"
- In reply to: Drew Cooper [MSFT]: "Re: EFS Recover Agents Unable to decrypt files"
- Next in thread: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Reply: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 25 May 2004 12:28:00 GMT
Thanks for responding.
Have checked permissions as you stated many times. The account I am using
for decrypting the file is the original domain administrator account. The
only thing different is the account name has been changed. He has an EFS RA
certificate from our internal Subordinate CA. I even got another EFS RA just
to make sure.
I don't understand what you are saying about the private key. Whose private
key? The domain admin. Isn't this what the EFS RA is for? Whenever a file is
encrypted, a special recovery key is created with the encryption process. Is
this the key you speak of? If so, where is it kept? How do you retrieve it
by an EFS RA?
Maybe my assumptions are wrong in my testing process. Here is what I am
doing. First, I took a file by a user (which also happens to be a domain
admin and EFS RA) and encrypted a file. From there I simply copied the file
to a folder called EFS Recovery on a server where the domain admin has an
EFS RA certificate. At this point I check the properties of the file and
under encryption, deselect the option and click apply. This is where the
error message appears that I first posted.
Shouldn't this work? Is there a different process to go about this. I have
applied the white papers methods of backing up the file and then restoring
it to the same directory and the same result happens?
P.S. This is not a file encrypted on XP or 2003.
"Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
news:OeJ9X4dQEHA.3748@TK2MSFTNGP09.phx.gbl...
> Here are a few possibilities:
> - You don't have the right file permissions. You probably already checked
> this yourself, but it's still worth mentioning.
> - The RA's certificate and private key aren't on the machine where you're
> trying to decrypt.
> - The files were encrypted on XP or 2003 and you're trying to decrypt them
> on Win2k, which doesn't understand the newer crypto algorithms.
>
> "Unknown" is displayed because of a bug in the old version of efsinfo -
it's
> trying to display information that isn't there. It's nothing to worry
> about.
> --
> Drew Cooper [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Fuente" <partagas@insightbb.com> wrote in message
> news:cUXqc.3248$Vv.275836@attbi_s51...
> > Background:
> > Internal Certificate Service running in a 3 tier hierarchy. Enterprise
CA,
> > Subordinate CA, Exchange CA
> > Default Domain administrator and additional domain administrator have
> > requested and received EFS Recovery certificates and have been setup on
> the
> > default domain policy of Security Settings | Public Key Policies |
> Encrypted
> > Data Recovery Agents
> >
> > Created a test file on a workstation by a test account with Domain User
> > rights. Encrypted the file successfully. In order to test the ability of
> the
> > Recovery Agents I performed the process described in "Encrypting File
> System
> > for Windows 2000" white paper but this does not work. From the Windows
> > Explorer I get message stating ""Access is Denied" Error Message When
> > Encrypting or Decrypting Files or Folders". I also tried going to the
> users
> > home directory with one of the accounts and attempted to decrypt the
file
> > and this didn't work either.
> >
> > TechNet Article 264064 seemed to address the issue but after applying
the
> > solution, the problem was not resolved. (As a matter of fact, all the
> > "System Volume" Folders I inspected on my domain controllers has the
> System
> > account listed but none of the permission were checked except in one
place
> > where full was checked on the boot partition of on domain controller.)
> >
> > When I use the Efsinfo.exe utility the following results are displayed
on
> > the file in question:( I have changed the domain name and accounts from
to
> > generic names for privacy. The "Bob.Train" account is a test account.
> >
> > NOC List.txt: Encrypted
> > Users who can decrypt:
> > My DOMAIN\Bob.Train (CN=Bob Train)
> > Recovery Agents:
> > Unknown (CN=Domain Administrator)
> > Unknown (CN=Default Domain Administrator)
> >
> > I am concerned about the "Unknown" entries and am wondering if this is
the
> > root of the problem. It doesn't appear that the Recovery Accounts are
> > getting the permission necessary to perform the function.
> >
> > I want to make sure that I have the ability to recover encrypted files
> > before implementing this across the board. I have search many articles
in
> > this forum on the subject as well as Microsoft and have yet to find a
> > solution. I would like any insight anyone would have in solving this.
> >
> >
>
>
- Next message: Atlas: "Re: Server - RAID 1 performance"
- Previous message: Rashmi.K.Y [MSFT]: "RE: Add/Remove - Time/Date"
- In reply to: Drew Cooper [MSFT]: "Re: EFS Recover Agents Unable to decrypt files"
- Next in thread: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Reply: Fuente: "Re: EFS Recover Agents Unable to decrypt files"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
