• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Has anyone done a W2K EFS file recovery?

W

Woodie

Platinum Member
I'm trying to do an EFS file recovery (in Test/Dev), and I can't get the @$#% file back. 🙁

I created two recovery agents, put them into a (domain) GPO, and linked it to my test domain. The policy takes effect (gpresult shows it), and efsinfo cleary shows the recovery agents that I've specified.

Now, I login as the recovery agent, import the keys (right-click, install), and try to recover (using cipher /d).

"Access Denied". AAaaaaaccckkkk!!!!

--Woodie <not too happy w/ MS/W2K/EFS/documentation/etc.>
 
Are you sure it isnt a permissions problem? Try taking ownership of the file if you arent the owner.
 
Were the files that you are trying to decrypt encrypted before you defined the Recovery Agent? If so, that Recovery agent will be unable to unencrypt the files. If this is the case you should try using the Domain Admin (Local if non Domain) Account. It would have been the Recovery Agent by default at the time the files were created.

 
Nope. Good idea, but that was the purpose of the test. efsinfo shows the right (expected) RAs, and the thumbprint matches the one on the Recov Cert that I have loaded.

At least this thread is getting some visibility 🙂

--Woodie
 
I've encountered this very same problem in a few of the labs we've done at school. I can get so far as to specify the recovery agent and give him the recovery agent certificate, but when it comes time for him to do his job....."access is denied".

The files are encrypted AFTER the recovery agent was created.

One strange thing too, you can only retrieve a recovery agent certificate from the ROOT CA, not the SUB CA. For some reason, there's no default trust relationship between the ROOT and the SUB CA, go figure.

Another thing that's really wonky is W2K Server's idea of DFS. DFS is so flaky, you cannot depend on it to work 100% of the time.

Plucky
 
Hmmmm PD...are you following me around??😉

Your comment on the Root CA vs. a Subordinate...I found not true.

I created an off-line CA (W2K Srvr) as the Standalone Root CA. Then created a W2K Enterprise Subordinate CA (obviously, within a forest). re-ACLed the Certificate Templates (in the AD) and the CA itself, and had no trouble requesting/issuing a Recovery Certificate. One curious thing: When the RA account was in the same domain as the CA, the certificate was issued and published directly to the AD. When the RA was in a sub-domain, it issued the cert, but did not auto-publish the cert to the AD.

DFS has its own set of "issues". 😉

--Woodie
 
Woodie, that's the problem I've been having.

When I use the RA to request the CA, it says that its successful. But when I go look for it in AD, it cannot be found, says no certificate attached to the account. The certifcate was requested from a subordinate enterprise CA. I felt like I was in Twilight Zone 😕

Plucky
 
I should have posted it above...the fix to the AD publishing thing:

Open an MMC, add the Certificates snap-in, focus on User.
Drag the cert from the Personal\Certificates folder and drop it (in COPY mode) onto the Active Directory User Object folder. Now it's published. 🙂

--Woodie
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top