• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Need quick help with windows encryption

C

cbrsurfr

Golden Member
Users have external usb hard drives with full backups of their C: drive. Users were migrated from Domain A to Domain B. Once they were migrated they can no longer access files on the external drive due to windows encryption. Is their a way to restore access? Or a way to crack it? Need help fast.

Thanks!
 
Just guess: because of the domain switch they'll have to reimport their keys. The user id changes are probably causing this. </guess>
 
Yes it is EFS. The old domain does still exist. I was on the phone with Microsoft for 3 hours today and still didn't get it fixed.
 
Were they actually migrated, or given new accounts in the new domain? If they were given new accounts, they have new SIDs, and it's a simple ownership issue. As long as they have their certs loaded into their MY stores, they can take ownership of the files and they'll be fine.
 
I have the certs. Problem is the certs don't show under their personal store. So they need to be imported. Now when I try to import them it eventually asks for a password. I've tried several and came up empty.
 
OP,

I suggest you sit down and read Microsoft's manuals on EFS.

One thing that would work would be to restore the old Domain to the point where the Users were still a part of it and their files were intact. Then have them log on with their "old" usernames/passwords and have them turn EFS off for all their files. Or determine who the Key Recovery Agent is for the files (usually the Domain Admin) and he/she can recover the files.

THEN copy the files and move them to the new domain.

Then run a user class on how to prepare for recovery of encryption keys.
 
I'm not SOL. The user is SOL. 😉

The 2nd call from Microsoft yielded much better results. I actually got to talk to the guy that wrote many of MS's KB articles on EFS.

Moving the machine back to the old domain (NT 4.0) and the old password didn't work. We did find certs but they weren't the right ones (the thumbprints didn't match) so needless to say we couldn't decrypt them. I imagine one major problem is I'm about the 4 or 5th person to take a look at this. So everyone else has already tried all kinds of ****** that probably made things worse for me.

I did later find a set of exported certs on the backup drive itself. Unfortunately those are the ones that prompt for a password when importing. I've talked to the idiot that decided to encryt the drive and he says he didn't set a password. So I guess it is possible the Maxtor software (Retrospect?) set some default password. Something to look into I guess.

For the hell of it I did try the domain admin account already (the Indian MS support guy actually recommended this). The old domain being NT 4.0 it wasn't likely to work anyway. I also tried the 2003 AD domain admin account on the migrated profile and that didn't work either. Probably because there was no DRA default recovery agent. At least that's what efsinfo tells me.

I even tried a 3rd party software (can't remember the name at the moment) that guaranteed it could recover EFS encrypted files if the keys were lost, corrupted, etc... I ran it and the first thing it said was, "Sorry we couldn't find any keys, would you like to search again?" lol
 
Cert private keys are stored in the logged on user profile.

Most of those "recovery' softwares merely search the local HD, looking for keys to load, they don't actually break the encryption, all they do is search for keys to try.

On the exported (backed up keys), the user must have set a password...I assume you tried blank? This is part of the MS Cert Export tool, so I'm pretty sure Maxtor or whatever would not have set a password.

For OTHER users
When you try the domain account...
1. You must log on to the first DC in the domian, that's where the Administrator Cert was created in the Administrator profile.
2. Export the cert to file.
3. Now, log in to the device with the encrypted file (EFS encryption/decryption is LOCAL)
4. Import the cert from the file above.
5. Should be "good to go" <Taco Bell> 🙂

For the CBR Surfer:
If efsinfo is saying their are no RA keys associated with the files, you are in heap big trouble. Now you have to figure out a way to log on w/ the old id, and trigger the users' original profile (to get their EFS cert). When you went back to the NT4 domain...did you see which profile got loaded?

Before you ask, NO, you cannot just copy the old profile onto the new profile name.
Corrupted profiles drive 60% of my data recovery problem tickets right now.

PM or IM me later...gotta run to a meeting.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top