[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


EFS files can't be decrypted after AD installation on Win2003 server

Posted on 2007-08-05
Medium Priority
Last Modified: 2013-11-05
On a Win2003 server EFS works fine from local admin or local user accounts.

AD is now activated.  Now only a domain login is shown.  Machine works OK.  Didn't check EFS decryption (oops!) Admin password is changed (not reset).

Now EFS encrypted files can't be decrypted by using Win Explorer or by launching to an application.  Cipher.exe shows [ERR] when trying to decrypt these files

In Computer Management/Certificates (local computer)/Trusted People/Certificates I see a cert for EFS for the Administrator from before the AD activation and one from after AD activation.  I presume that AD switched certificates for EFS leaving me no way to decrypt the files encrypted with the old dert.

Any suggestions on how to decrypt these files so they can be reencrypted with the current account?
Question by:gmit
  • 3
  • 3
LVL 17

Expert Comment

by:Tony Massa
ID: 19635754
By default, a workstation's or member server's recovery agent is the default Administrator account. By "default Administrator account," Microsoft means the Administrator account you created when you installed Win2K, not any other member of the local Administrators account.
  "On a domain, the default recovery agent is the default Administrator for the computer that was the first domain controller installed for that domainin other words, the first server that you ran Dcpromo for when you created the domain"

Here are a few Articles that should clarify what happens when a domain is created:


LVL 31

Expert Comment

by:Toni Uranjek
ID: 19636537

Just an idea, boot in to Directory Service Restore Mode, change password of DSRM administrator to password which you were using as local administrator and try to decrypt files. Let me know if it works.


Author Comment

ID: 19639239
Some more info ...

I had ignored the DSRM possibility because it didn't allow login with the previous administrator password.  It is possible that this is because the previous password didn't meet the password quality currently set in the domain.  Looks like this deserves another try after reducing the domain password requirements.

Using EFSINFO.exe (from the MS Win Support Tools) indicates that the thumbprint of the required EFS cert is in fact the older Administrator cert which can be seen via
computer management/certs/trusted people/certs
Moving this to cert to  certs/trusted root/certs  didn't allow CIPHER.exe or Win Explorer to decrypt the file however.  

Looks like I guessed wrong on how to activate the old EFS cert.  Any suggestions on that?
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 31

Expert Comment

by:Toni Uranjek
ID: 19639277
If you can export old certificate, try to import it to another user account and try again?

Author Comment

ID: 19640607
Good idea.  This led to the discovery that the EFS certificate that I need may have a missing private key.  When viewing the certificate I see "You have a private key that corresponds to this certificate"  but when attempting to export "the associated private key cannot be found".  

I will look at a tape backup -- unfortunately this machine didn't have EFS certs exported before the domain installation.
LVL 31

Accepted Solution

Toni Uranjek earned 1000 total points
ID: 19641059
You can always change password policy, disable password complexity and change minimum password lenght, so that you can use old password for DSRM account. Password policy settings are defined in Default Domain Policy.

Author Comment

ID: 19680853
Here FYI is what did and din't work.

After installing a domain a  Win 2003 server doesn't decrypt files. What a pain EFS is!  Here is what doesn't work:

1.  Trying to log in with the current Administrator password using a boot to DSRM (no private key available for EFS cert) and with old password (didn't conform to domain's password complexity requirement) after reducing complexity requirement the login still didn't work.

2.  Attempting to export the Administrator EFS cert with the proper thumbprint and importing it to another user's account (private key still not accessible even though the general screen of cert indicated that there was an accessible private key).

3.  Try decrypting the files with all other user accounts on the server.

Here is what I ended up doing...

1. Use EFSINFO (from Win support tools) to figure out what thumbrpint of EFS certificate is for encrypted files.
2. Look at mmc/computer management/certificates and discover that the cert that I need has no private key.  This is because when a domain is installed on 2003 server the private keys for existing certs are deleted (nice).
3. On a fresh hard drive install Server 2003 from CD.
4. From a tape backup done prior to the domain installation recover C: then recover the system state.  Note, it is necessary to initialize the OS with MS before logging off.  In this case that meant doing it on the phone to India since I couldn't get out of the initialize screen to set up the network adapter.
5. Export EFS cert and private key, import them to sick server.
6. Decrypt files using
CIPHER /D /S:m:\ /A > decrypt_m_log.txt
look out for lines in the log file that contain "[ERR]" indicating that there is a problem with decryption.

It sure would be nice to have a EFS management utility that could simplify all of this.  Hey, maybe somebody that knows Mark Russinovich -- and could convince him to write a (Microsoft) Sysinternals GUI for this stuff.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question