Has anyone done a W2K EFS file recovery?

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
I'm trying to do an EFS file recovery (in Test/Dev), and I can't get the @$#% file back. :(

I created two recovery agents, put them into a (domain) GPO, and linked it to my test domain. The policy takes effect (gpresult shows it), and efsinfo cleary shows the recovery agents that I've specified.

Now, I login as the recovery agent, import the keys (right-click, install), and try to recover (using cipher /d).

"Access Denied". AAaaaaaccckkkk!!!!

--Woodie <not too happy w/ MS/W2K/EFS/documentation/etc.>
 

Saltin

Platinum Member
Jul 21, 2001
2,175
0
0
Are you sure it isnt a permissions problem? Try taking ownership of the file if you arent the owner.
 

Saltin

Platinum Member
Jul 21, 2001
2,175
0
0
Were the files that you are trying to decrypt encrypted before you defined the Recovery Agent? If so, that Recovery agent will be unable to unencrypt the files. If this is the case you should try using the Domain Admin (Local if non Domain) Account. It would have been the Recovery Agent by default at the time the files were created.

 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
Nope. Good idea, but that was the purpose of the test. efsinfo shows the right (expected) RAs, and the thumbprint matches the one on the Recov Cert that I have loaded.

At least this thread is getting some visibility :)

--Woodie
 

PeeluckyDuckee

Diamond Member
Feb 21, 2001
4,464
0
0
I've encountered this very same problem in a few of the labs we've done at school. I can get so far as to specify the recovery agent and give him the recovery agent certificate, but when it comes time for him to do his job....."access is denied".

The files are encrypted AFTER the recovery agent was created.

One strange thing too, you can only retrieve a recovery agent certificate from the ROOT CA, not the SUB CA. For some reason, there's no default trust relationship between the ROOT and the SUB CA, go figure.

Another thing that's really wonky is W2K Server's idea of DFS. DFS is so flaky, you cannot depend on it to work 100% of the time.

Plucky
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
Hmmmm PD...are you following me around??;)

Your comment on the Root CA vs. a Subordinate...I found not true.

I created an off-line CA (W2K Srvr) as the Standalone Root CA. Then created a W2K Enterprise Subordinate CA (obviously, within a forest). re-ACLed the Certificate Templates (in the AD) and the CA itself, and had no trouble requesting/issuing a Recovery Certificate. One curious thing: When the RA account was in the same domain as the CA, the certificate was issued and published directly to the AD. When the RA was in a sub-domain, it issued the cert, but did not auto-publish the cert to the AD.

DFS has its own set of "issues". ;)

--Woodie
 

PeeluckyDuckee

Diamond Member
Feb 21, 2001
4,464
0
0
Woodie, that's the problem I've been having.

When I use the RA to request the CA, it says that its successful. But when I go look for it in AD, it cannot be found, says no certificate attached to the account. The certifcate was requested from a subordinate enterprise CA. I felt like I was in Twilight Zone :confused:

Plucky
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
I should have posted it above...the fix to the AD publishing thing:

Open an MMC, add the Certificates snap-in, focus on User.
Drag the cert from the Personal\Certificates folder and drop it (in COPY mode) onto the Active Directory User Object folder. Now it's published. :)

--Woodie