EFS Decryption

[Gary]

I'm really not knowledgeable about EFS, so please bear with me.

I have a Windows 2000 pc used by a former employee. The machine is
completely intact. First thing I did was take a Ghost image of it.

The user's local account(s) are still there as well as the local admin
account. Both of which I have complete access to. If I log in as local
admin, I cant seem to decrypt the files. The keys seem to be there,
but I just cant seem to get the files to decrypt. I'm sure I'm doing
something wrong.

I've read the MS KB article, and I'm not sure if I'm just not
understanding it or what...

The AEFSDR tool cannot decrypt the files while logged on as either
admin or the local user. EFSINFO shows the original user as one who
is able to decrypt and a different user (who is also no longer with
the company) as the recovery agent. I assume that the usernames it
shows are the domain accounts?? I created a domain account for the
former user, but still cannot decrypt.

Can I change the password for the recovery agent on the local machine
and expect to get the keys back??

I'm confused!!!

 

[Rob]

Why aren't you just using the former user's local
account? You said you have access to it???!

 

[Steven L Umbach]

Use efsinfo /c to see the thumbnail info of the certificate/private key that can
decrypt the files and then use the mmc certificate snapin for user to see if the
thumbprints match. If they do verify that it shows that the private key is present
which would be indicated on the first page of certificate info. If it says it is
there then try to export it to verify that it exists and is not corrupted. Assuming
that the certificate/private key matches then logon as that user with the password
that the user used. The password protects the private key. Then try to decrypt the
files. The AEFSDR tool requires the user password also. -- Steve