How can admin users decrypt user's folders?

[SauM]

I can not decrypt contents of users' folders.
I know some of them are trying to find some
security holes in systems and have some log files, etc.
But they have encrypted their home folders via
windows 2000 encryption procedure. Now how can
I decrypt them? windows says "access is denied" while
I try to use decryption!

 

[Derango]

You have to have the key they used to encrypt them with. Thats the whole point of encryption

 

[SauM]

the "access denied" is not about the key.
and also windows doesn't ask you to enter
any key to encrypt/decrypt.

 

[AndyHui]

Derango is actually correct.

You need a cipher key in order to get to encrypted files.

Please read the FAQ: How to use EFS for more information about encrypted files.

 

[Saltin]

In a properly configured EFS, a domain admin will be configured as a/the default recovery agent (DRA). This person(s) holds a key which will unencrypt any user's files as long as they are a member of the same domain. All files when encrypted, are encrypted with two keys, the users, and the DRA's.

You issue could be a permissions problem too. Try taking ownership of the files/folders in question first, and then assiging yourself full control permissions.

If you are certain that your user's are acting in this manner, I would remove thier ability to use EFS by removing thier key from thier profile. Wait until they have to come to you for help, and watch them try to explain thier actions.

 

[Woodie]

What Saltin says, is only half-right.

In a domain structure, assuming that no specific EFS recovery agent has been specified (so the Default Domain policy has set it to Domain\Administrator):

When a user is logged in, and attempts to encrypt a file, EFS will query the users certificate store for an EFS enabled key. If it doesn't find one, it will automatically generate a 101 year local certificate for the user, and use that key to encrypt the data. So, removing the key will only be a problem for the user when they try to get back to their OLD data. They will still have the ability to create NEW files.

To disable EFS in the domain, you have to set a GPO with an EMPTY EFS Recovery Policy, and make sure that it over-writes the default policy. (See the MS TechNet and White Papers on how to do this.)

Your issue is likely to be EFS, as that is the (misleading) error message that comes back when you try to access an encrypted file. If you look at the properties (attributes) of the files, look for the letter E--which means the file is encrypted. Alternatively, you can run efsinfo against the file or directory, and it will tell you if the file is encrypted, and if so, which user encrypted it.

 

[Derango]

<< the "access denied" is not about the key.
and also windows doesn't ask you to enter
any key to encrypt/decrypt. >>



As others have said, it automaticly creates and uses a key to encrypt data. This key is local to the user. If you don't have the key, you won't be able to decrypt it.