Amiga-2000
asked on
How to decrypt windows files
Hello experts
I have a small issue with encrypted files. The problem stems from Windows 7 64 bit expanding Mac zip files. The expanded folder structure is encrypted. When I run a file replication job from backup assist on the Windows 2008 R2 server I get a stream of errors advising access was denied when trying to replicate the files to a Nas box. I know the user who did the original extraction could decrypt the files but with so many Mac files coming in I need to be able to perform the decryption on the server rather than bother users with the decryption process. If I try to manually decrypt the folders I receive access denied message
Does anyone have any ideas what needs to be done to allow the domain admin to decrypt the files, or if this is even possible
thanks in advance for your help
I have a small issue with encrypted files. The problem stems from Windows 7 64 bit expanding Mac zip files. The expanded folder structure is encrypted. When I run a file replication job from backup assist on the Windows 2008 R2 server I get a stream of errors advising access was denied when trying to replicate the files to a Nas box. I know the user who did the original extraction could decrypt the files but with so many Mac files coming in I need to be able to perform the decryption on the server rather than bother users with the decryption process. If I try to manually decrypt the folders I receive access denied message
Does anyone have any ideas what needs to be done to allow the domain admin to decrypt the files, or if this is even possible
thanks in advance for your help
page1985
What is the mechanism being used to encrypt them?
ASKER
The built in Windows NTFS encryption
There's good news for you, then. I was worried when you started mentioning Mac that is was something being encrypted on Mac clients before being put ont he server.
For NTFS Encrypting Filesystem, you can edit the default domain policy in GPMC to add something called an EFS Recovery certificate. This is for exactly what you want -- to allow one or more users to decrypt any file encrypted in the network. Here's an article for how to do it:
Data Recovery and Encrypting File System (EFS)
http://technet.microsoft.com/en-us/library/cc512680.aspx
Best Practices for Encrypting File System
http://support.microsoft.com/kb/223316
For NTFS Encrypting Filesystem, you can edit the default domain policy in GPMC to add something called an EFS Recovery certificate. This is for exactly what you want -- to allow one or more users to decrypt any file encrypted in the network. Here's an article for how to do it:
Data Recovery and Encrypting File System (EFS)
http://technet.microsoft.com/en-us/library/cc512680.aspx
Best Practices for Encrypting File System
http://support.microsoft.com/kb/223316
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THanks page1985. Will give that a go
Note that recovery agents can't be automatically added after-the-fact - so only new files created by those users will have the new keyset.
You would need to unsecure and resecure each file in (as the original user) in order to get the benefit.
Note also though that EFS protected files moved *by the original user* to FAT storage (or zipfile, or anything that isn't another NTFS volume) are automagically unprotected - so perhaps there is a solution there?
You would need to unsecure and resecure each file in (as the original user) in order to get the benefit.
Note also though that EFS protected files moved *by the original user* to FAT storage (or zipfile, or anything that isn't another NTFS volume) are automagically unprotected - so perhaps there is a solution there?
I've requested that this question be closed as follows:
Accepted answer: 168 points for page1985's comment #a38348473
Assisted answer: 166 points for page1985's comment #a38348475
Assisted answer: 166 points for DaveHowe's comment #a38349204
for the following reason:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Accepted answer: 168 points for page1985's comment #a38348473
Assisted answer: 166 points for page1985's comment #a38348475
Assisted answer: 166 points for DaveHowe's comment #a38349204
for the following reason:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER
Sorry, page1985, was distracted on different issues.