Solved

EFS Recovery Agent Not Working

Posted on 2004-03-25
14
1,938 Views
Last Modified: 2013-12-04
I've recently installed an Enterprise Root CA on our Win2K mixed mode domain.  I went through the Step-by-Step Guide to Encrypting File System document from Microsoft.  The domain administrator is set as an EFS Recovery Agent in the domain GPO.  I've been testing EFS by creating an encrypted folder on a domain user workstation and adding a test Word doc to that folder.  I use NTBACKUP to backup the encrypted folder to a floppy and take the floppy to the server where the EFS recovery agent was created.  I restore the backup to that server and I'm able to remove the encrypted attribute from the encrypted folder, removing encryption from all files contained in the folder.  But, when I open the Word doc, it is all garbled and still encrypted.  I've tried many different things including uninstalling the Certificate Authority and reinstalling but the same result happens.  I can't find anything about this problem anywhere so I'm coming to you guys for help.  I'm assigning 500 points because this is an urgent matter at my company and I need to have it working by yesterday.

Thanks.
0
Comment
Question by:aberdahl
  • 7
  • 4
  • 3
14 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10680590
Disable/Enable EFS on a Stand-Alone Windows 2000-Based Computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;243035

You Cannot Decrypt Files After You Reset Your Password with a Password-Reset Disk
http://support.microsoft.com/default.aspx?scid=kb;en-us;308273

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 250 total points
ID: 10680592
IMPORTANT - HOW TO: Back Up the Recovery Agent Encrypting File System Private Key in Windows 2000
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q241/2/01.asp&NoWebContent=1

0
 

Author Comment

by:aberdahl
ID: 10680948
I've exported and saved to diskette the certificate and private key for the recovery agent, I just haven't deleted the recovery agent certificate from the system yet.  I'd like to see it work first before I do that.  I've looked at the articles you've suggested before started this posting and I've done all these things before.  Still, there is a problem.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10681541
You can't use NTBACKUP on encrypted efs-files
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/efsguide.mspx

***quote***
Backing Up an Encrypted Folder or File
The following explains the procedures and LIMITATIONS for backing up encrypted folders or files.

Backing up by copying. Backup created using the Copy command or menu selection can end up in clear text, as explained previously in the section, Copying an Encrypted Folder or File. Backing up using Backup in Windows 2000 or any BACKUP UTILITY THAT SUPPORTS  Windows 2000 features. This is the recommended way to back up encrypted files. The backup operation maintains the file encryption, and the backup operator does not need access to private keys to do the backup; they only need access to the file or folder to complete the task.

To use Backup to back up a file, folder, or drive
1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup. The Backup wizard appears.
2. Click the Backup tab.
3. Select the drive, files, or folders that you want to back up. (in this case My Documents\Encrypted Files).
4. Select the destination in the Backup media or file name list. Click Browse to locate a pre-existing backup file.
5. Click Start Backup.
6. In the Backup Job Information dialog box, make selections, and then click Start Backup. When the backup process is complete, click Close in the Backup Progress dialog box.

Backup backs up the entire encrypted file, folder, or drive to the backup file you selected. This file can be copied to FAT media, such as floppy disks, and is secure because its contents remain encrypted.
***end of quote***
0
 

Author Comment

by:aberdahl
ID: 10682428
The steps above to backup EFS folders and files use NTBACKUP on Windows XP.  The shortcut in System Tools points to ntbackup.exe, and many documents I've read say that using NTBACKUP is the preferred way to backup EFS folders and files because it preserves the encryption.  Encryption is lost when encrypted files are copied from one computer to another unless the target computer is "trusted for delegation."  So the safest way to move encrypted files from one computer to another is to back them up using NTBACKUP.   This surely works because I can't even get my Recovery Agent to open the restored files (again, using NTBACKUP) without looking at a garbled mess.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 10697096
EFS is very touchy. I assume that once the files are encrypted, they can be opened correctly on the box they were encrypted with. The encryption does stay if moving from NTFS to NTFS, however the files are unencrypted to travel over the wire if the src and dst drive are not both NTFSv5. IF both are version5, then the files are not unencrypted over the wire. NTBACKUP is typically a default recovery agent along with the admin account, or the domain admin as the case may be. I've confirmed it, my admin account can move the efs folder from one pc to another, where my admin account has rights. If i connect to the drive (network share) I've just copied it TO, with another account not in the recovery agent's I am prompted for a user and password, no domain mind you, as these are workstations. They share no certs or keys between one another, however my admin account can open the file just fine on the remote pc it was copied to, the admin account passwords for these to boxes do not match.  If I logon to the pc with the new efs file, and try to open it with any account, it doesn't work, or is garbled because the cert is missing.
Anyone in the recovery agent list can copy or "backup" the files, unless denied with ntfs explicity from doing so.

I was rereading your posts... it's not working? Even on the box it was encrypted with...? Exporting is removing them same as deleting them off the c:, leaving the floppy in shouldn't matter, it doesn't know to look there, it looks on the c: when they are imported they are saved- again your PC won't know where they are if you export them, you basically have to force feed it to the computer before.
GL!
-rich
0
 

Author Comment

by:aberdahl
ID: 10708353
Thanks for the information, Rich.  The problem I'm experiencing is that I can't get the recovery agent (domain admin) to open any encrypted files created by a domain user.  I've created the recovery agent cert and have that in place in the domain GPO for EFS Recovery.   I've logged onto a workstation as the domain admin, imported the domain admin cert with keys, added the domain admin cert into the local gpedit.msc for Encrypting File System under Public Key Policies, restarted the computer, logged back in as the domain admin, go to the encrypted folder in the domain user profile and (*honk*) "Access Denied".  I have a little network at home and I'm having the exact same problem there.  The only thing in common between the two networks is how I installed the Enterprise CA.  Maybe I installed it wrong in both places, but the installation is pretty straight forward.  The frustrating thing is that I can't seem to find any information about this specific problem anywhere.  The only thing I've found is an article that states that the Domain Group Policy sets a registry key on the workstation which is checked by EFS during user operations. The key is: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EFSConfiguration.  I can't find this key on the workstation either at work or at home.  So there is some problem with the EFS part of the domain GPO not getting processed onto the workstations.  How to get past that is the challenge here.  -Andy
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10708411
Sounds frustrating, I know EFS is a pain... I however have never done EFS in AD... Until recently we used NT style domains... I'll give it a go here on my pc and see if I experence the same results...
0
 

Author Comment

by:aberdahl
ID: 10708548
Thanks, Rich, for the help.  I'll be curious to see what you come up with.  -Andy
0
 

Author Comment

by:aberdahl
ID: 10709198
Rich, I think I found a solution.  All our workstations were members of an NT 4.0 domain which was upgraded to Win2K recently.  After the upgrade I installed an Enterprise CA.  It seems that for a domain based EFS system to work the workstation must be joined to a domain after EFS is set up (recovery agent, etc.).  So I removed my workstation from the domain and readded it to the domain.  Now the recovery agent can open an encrypted file created by a domain user.  I don't know if this is the preferred way to make this work, but it seems to be working.  I haven't found anywhere where it says that computers that were "grandfathered" into an upgraded Win2K domain must be removed from the Win2K domain and re-added for EFS to work, but it may be the case.
0
 

Author Comment

by:aberdahl
ID: 10716867
Unfortunately, I haven't been able to duplicate on another computer what I did on my workstation to solve the problem.  An encrypted file on the second workstation adds the same recovery agent to the file as does an encrypted file on my workstation but there is a discrepancy between the registries on the two computers.  I'm looking at HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates.  There is different information here on both computers.  I gotta go, my boss just called.  I'll continue this later.  -Andy
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10717052
I am unable to duplicate, as our AD DomainControlers are built from scratch, not upgraded. Again, my recovery agents work just as if it was a workstation... I'd get M$ on the horn and see if they've encountered the problem... see if they have any suggestions... I'm about out. Sounds to me like you know how it works (or is supposed to) and are following the steps... it's just broken. I'll keep looking also...GL!
-rich
0
 

Author Comment

by:aberdahl
ID: 10719876
Ok, I finally have the solution.  It had nothing to do with removing and re-adding computers to domains.  I simply wasn't exporting the correct Recovery Agent certificate and, to compound matters, I wasn't importing them correctly.  I used the following article to set me straight.

http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx

I'm going to split the points between the two respondents with a big "Thank You" to both of them for helping me along the way.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10727797
:o) Glad we could help you - thank you for the points
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now