Is it really impossible to recover an EFS encrypted file?

[Gera]

I have such situation: a Windows 2000 Pro SP4 PC in a W2K domain with a file encrypted using EFS.
I can't decrypt it using this account (Access denied), and AEFSDR can't find any useful keys.

Is it really impossible to decrypt this file using Default Domain Recovery Agent? (I have Dom. Admin
rights).
Is it a possible situation, that I by all means cannot decrypt some file?

Or there is _always_ a way to decrypt any file in a domain environment?
Tried some MS techniques, but without success and I feel lost somewhere...


Thanks,
Gera

 

[Guest]

Take ownership of the file(s) as Domain Admin, then
decrypt them.
Also, try to log on using the account that encrypted them
and decrypting that way. You can reset the password for
the account if you don't know it.

-----Original Message-----
I have such situation: a Windows 2000 Pro SP4 PC in a

W2K domain with a file encrypted using EFS.

I can't decrypt it using this account (Access denied),

and AEFSDR can't find any useful keys.

Is it really impossible to decrypt this file using

Default Domain Recovery Agent? (I have Dom. Admin

 

[Gera]

Take ownership of the file(s) as Domain Admin, then
decrypt them.

I backed up this file, restored on my computer, tried to take ownership, but Access is still Denied.

Also, try to log on using the account that encrypted them
and decrypting that way. You can reset the password for
the account if you don't know it.

I don't know which account was used to encrypt this file :-(

 

[Steven L Umbach]

The recovery agent for a domain is not just anyone in the domain admins
group, by default it is the first administrator created in the domaim on the
original domain controller which may be the PDC fsmo role holder. You can
use efsinfo to determine who can decrypt the files - user and recovery agent
and view thumbprint info for the certificate used to encrypt the file which
may be helpful to determine if the original certificate and hopefully needed
matching private key are still available by viewing certificates for user
identified via mmc certificate snapin for users. If the EFS private keys
are not found, then those files are lost for at least a decade or two. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;243026
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

 

[Gera]

The recovery agent for a domain is not just anyone in the domain admins
group, by default it is the first administrator created in the domaim on the
original domain controller which may be the PDC fsmo role holder. You can

Yes, i tried with Admin account.

use efsinfo to determine who can decrypt the files - user and recovery agent
and view thumbprint info for the certificate used to encrypt the file which
may be helpful to determine if the original certificate and hopefully needed

The efsinfo output is this:
needed file: Encrypted
Users who can decrypt:
Unknown (OU=EFS File Encryption Certificate, L=EFS, CN=Administrator)
Certificate thumbprint: 9DD2 A680 5D0B 02C6 4169 ED43 10EB 7E50 AD6A 5A53
Recovery Agents:
DOMAIN\Administrator (OU=EFS File Encryption Certificate, L=EFS, CN=Administrator)
Certificate thumbprint: A4A0 A0E3 2B66 EA9C 5A3A DC69 B7EF FEF7 1183 BE36

matching private key are still available by viewing certificates for user
identified via mmc certificate snapin for users. If the EFS private keys
are not found, then those files are lost for at least a decade or two. ---

I connected to our Domain Certification server and can see 2 issued and valid certificates for the
user, which computer has this encrypted file.
Don't know if it helps in my situation. What do you think?

Thanks,
Gera

 

[Steven L Umbach]

I think your best bet is to try and find the recovery agent certificate
which probably is or was at one time on a domain controller, possibly the
first domain controller in the domain which may be the PDC fsmo roleholder.
You can use the mmc certificate snapin for user to check the details and
thumbprint of a certificate in the certificate store on a computer. The
certificates that are published for a user in AD can also be viewed in the
users account/published certificates by looking in Active Directory Users
and Computers and then selecting view/advanced features first.

Just logging onto a computer as the recovery agent [administrator by
default] is not good enough to decrypt files on a domain computer. The
recovery agents certificate/private key musr first be exported off the
computer where it resides into a .pfx file and then imported into the the
certificate store ot the target computer after the recovery agent log on as
described in the KB below. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;242296