End User Profile corruption on Vista Enterprise in AD

  • Thread starter Thread starter David H. Lipman
  • Start date Start date
D

David H. Lipman

One of users had a corruption of his profile under Vista Enteprise as an Active Directory
user who logs on with his Smart Card.

I'll call his Domain Name; Bob.Unlucky

His profile is; c:\users\Bob.Unlucky

When he logged on, he did not get his normal setup (desktop, icons, resolution, etc) and
his MS Outlook wasn't setup which was a clear sign of a Profile corruption.

I examined his PC and found a new profile; c:\users\TEMP

All files in his Documents folder are encrypted using his Smart Card and he could not
access any files in; c:\users\Bob.Unlucky\Documents

In XP when a Profile was corrupted I would reboot the PC and logon as my self and would
rename...

C:\Documents and Settings\Bob.Unlucky
to
C:\Documents and Settings\Bob.Unlucky.BAK

Then I would have the user logon and a new profile would be created as;
C:\Documents and Settings\Bob.Unlucky

I could then move data from the .BAK, old, Profile to the new profile, re-setup the user
and all would be OK.
{ Under XP we used EFS Certificate to encrypt data and moving "C:\Documents and
Settings\END_USER\Application Data" to the new profile would have the new profile inherit
the old EFS certificate and the user could subsequently decrypt their data }

This wasn't the case under Vista.

I renamed...
c:\users\Bob.Unlucky
to
c:\users\Bob.Unlucky.BAK
and DELETED
c:\users\TEMP

and had the user logon.
The TEMP profile was created again.

The user still couldn't access his encrypted files nor could they be moved.

What is "Best Practice" in this kind of situation ?
 
David

If you are going to use EFS then you should a) export the EFS certificate with
the private key to a backup so it can be restored later. b) set up a data
recover agent that can also decrypt the data. By default the data recovery agent
is the first user of the XP workstation. That may be the local administrator or
the automatically created first user when the system initially installed.

The X509 EFS cert is stored in the user profile so if you use a roaming profile
it will follow the user and if the local profile is damaged and renamed as you
did the roaming profile will be used to create a new local profile complete with
the EFS cert.

If you do not have the EFS cert for the user and do not have a recovery agent
then files cannot be decrypted.

EFS is useful but very dangerous if not fully set up and understood.
 
From: "Peter Foldes" <[email protected]>

| David

| If you are going to use EFS then you should a) export the EFS certificate with
| the private key to a backup so it can be restored later. b) set up a data
| recover agent that can also decrypt the data. By default the data recovery agent
| is the first user of the XP workstation. That may be the local administrator or
| the automatically created first user when the system initially installed.

| The X509 EFS cert is stored in the user profile so if you use a roaming profile
| it will follow the user and if the local profile is damaged and renamed as you
| did the roaming profile will be used to create a new local profile complete with
| the EFS cert.

| If you do not have the EFS cert for the user and do not have a recovery agent
| then files cannot be decrypted.

| EFS is useful but very dangerous if not fully set up and understood.

Peter:

The Encryption File Certificate is NOT the problem. In this case I wish wqe were still
using it.

A EFS Cerificate, stored in the user's certificate store, is good for 100 years. A
lifespan that will undoubtedly outlive the data being encrypted.

On the otherhand, basing the file encryption on one's Smart Card causes more problems as
Smart Cards expire, certificates get revoked, cards go bad, new Smart Cards are issued at
change of contracts, yada, yada...
 
Back
Top