Re: EFS Certs in AD or local PC?
- From: "Steve" <wonderlan1@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 May 2008 08:49:31 -0500
Just to add that EFS files can not be copied by anyone other then a user
that can decrypt them but a user can use NTbackup to back them up to be
restored on another computer such as one where the RA certificate/private
key exists for attempted decryption. Also RA certificate/private key can be
imported via password protected .pfx file to a computer for attempted
recovery of EFS files.
The users EFS private key is stored in the user's profile but not in a way
that can be normally exported. There are third party tools that can scan a
computer to look for EFS private keys [such as from a restored profile to a
computer other than the original OS] that can possibly decrypt EFS files if
the user's password is known. If there are no correct EFS private keys [user
or RA with matching thumbprint] available to decrypt a users EFS files then
it will not be possible to recover the EFS files.
Steve
http://www.elcomsoft.com/aefsdr.html --- free trial can be used to search
for and unlock EFS private keys but if found the free version will only
decrypt a couple bits of EFS file, just enough to let you know full version
should work
"Steve" <wonderlan1@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Ojo7H3YwIHA.4876@xxxxxxxxxxxxxxxxxxxxxxx
While there are ways to archive EFS certificate/private keys, I believe
that requires W2003 Enterprise, and in your case his certificate/private
key was on the local computer. See if he possibly exported it for backup
at some point in time to see if he can import it back into his computer
via a .pxf file. If the domain security policy has a Recovery Agent
configured then the RA [usually built in domain administrator account]
could logon to a computer that contains the RA EFS certificate/private key
[usually the domain controller] and deccrypt the files. Note that ANY EFS
certificate used to attempt to decrypt files MUST also have the matching
private key - a .cer file does NOT. Though he/you may not be able to
access the files right now you can view the advanced properties/detains of
them to see if a RA is included as user that can decrypt.
Steve
"Quilnux" <Quilnux@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:95785FD5-839E-4A23-B4C9-974A3E6884B2@xxxxxxxxxxxxxxxx
Hello,
We have a user which was using a desktop with an EFS folder. Recently the
OS
drive failed and we had to reload the system from a new HDD. The EFS
folder
is on a secondary drive which is ok but I need to know if he will be able
to
access the folder when he logs in next wednesday from his account in AD
or if
I need to get his EFS cert from archives. It takes archives a week to get
us
the disks we need so if it is saved in his AD account I may not need to
contact them.
Thanks,
Quilnux
.
- Follow-Ups:
- Re: EFS Certs in AD or local PC?
- From: Quilnux
- Re: EFS Certs in AD or local PC?
- References:
- Re: EFS Certs in AD or local PC?
- From: Steve
- Re: EFS Certs in AD or local PC?
- Prev by Date: Re: Printing from Laptops Connected Remotely
- Next by Date: RE: SMTP Error #5.3.5
- Previous by thread: Re: EFS Certs in AD or local PC?
- Next by thread: Re: EFS Certs in AD or local PC?
- Index(es):
Relevant Pages
|
