EFS files can't be decrypted after AD installation on Win2003 server

Posted on 2007-08-05
Last Modified: 2013-11-05
On a Win2003 server EFS works fine from local admin or local user accounts.

AD is now activated.  Now only a domain login is shown.  Machine works OK.  Didn't check EFS decryption (oops!) Admin password is changed (not reset).

Now EFS encrypted files can't be decrypted by using Win Explorer or by launching to an application.  Cipher.exe shows [ERR] when trying to decrypt these files

In Computer Management/Certificates (local computer)/Trusted People/Certificates I see a cert for EFS for the Administrator from before the AD activation and one from after AD activation.  I presume that AD switched certificates for EFS leaving me no way to decrypt the files encrypted with the old dert.

Any suggestions on how to decrypt these files so they can be reencrypted with the current account?
Question by:gmit
    LVL 17

    Expert Comment

    by:Tony Massa
    By default, a workstation's or member server's recovery agent is the default Administrator account. By "default Administrator account," Microsoft means the Administrator account you created when you installed Win2K, not any other member of the local Administrators account.
      "On a domain, the default recovery agent is the default Administrator for the computer that was the first domain controller installed for that domainin other words, the first server that you ran Dcpromo for when you created the domain"

    Here are a few Articles that should clarify what happens when a domain is created:

    LVL 31

    Expert Comment

    by:Toni Uranjek

    Just an idea, boot in to Directory Service Restore Mode, change password of DSRM administrator to password which you were using as local administrator and try to decrypt files. Let me know if it works.


    Author Comment

    Some more info ...

    I had ignored the DSRM possibility because it didn't allow login with the previous administrator password.  It is possible that this is because the previous password didn't meet the password quality currently set in the domain.  Looks like this deserves another try after reducing the domain password requirements.

    Using EFSINFO.exe (from the MS Win Support Tools) indicates that the thumbprint of the required EFS cert is in fact the older Administrator cert which can be seen via
    computer management/certs/trusted people/certs
    Moving this to cert to  certs/trusted root/certs  didn't allow CIPHER.exe or Win Explorer to decrypt the file however.  

    Looks like I guessed wrong on how to activate the old EFS cert.  Any suggestions on that?
    LVL 31

    Expert Comment

    by:Toni Uranjek
    If you can export old certificate, try to import it to another user account and try again?

    Author Comment

    Good idea.  This led to the discovery that the EFS certificate that I need may have a missing private key.  When viewing the certificate I see "You have a private key that corresponds to this certificate"  but when attempting to export "the associated private key cannot be found".  

    I will look at a tape backup -- unfortunately this machine didn't have EFS certs exported before the domain installation.
    LVL 31

    Accepted Solution

    You can always change password policy, disable password complexity and change minimum password lenght, so that you can use old password for DSRM account. Password policy settings are defined in Default Domain Policy.

    Author Comment

    Here FYI is what did and din't work.

    After installing a domain a  Win 2003 server doesn't decrypt files. What a pain EFS is!  Here is what doesn't work:

    1.  Trying to log in with the current Administrator password using a boot to DSRM (no private key available for EFS cert) and with old password (didn't conform to domain's password complexity requirement) after reducing complexity requirement the login still didn't work.

    2.  Attempting to export the Administrator EFS cert with the proper thumbprint and importing it to another user's account (private key still not accessible even though the general screen of cert indicated that there was an accessible private key).

    3.  Try decrypting the files with all other user accounts on the server.

    Here is what I ended up doing...

    1. Use EFSINFO (from Win support tools) to figure out what thumbrpint of EFS certificate is for encrypted files.
    2. Look at mmc/computer management/certificates and discover that the cert that I need has no private key.  This is because when a domain is installed on 2003 server the private keys for existing certs are deleted (nice).
    3. On a fresh hard drive install Server 2003 from CD.
    4. From a tape backup done prior to the domain installation recover C: then recover the system state.  Note, it is necessary to initialize the OS with MS before logging off.  In this case that meant doing it on the phone to India since I couldn't get out of the initialize screen to set up the network adapter.
    5. Export EFS cert and private key, import them to sick server.
    6. Decrypt files using
    CIPHER /D /S:m:\ /A > decrypt_m_log.txt
    look out for lines in the log file that contain "[ERR]" indicating that there is a problem with decryption.

    It sure would be nice to have a EFS management utility that could simplify all of this.  Hey, maybe somebody that knows Mark Russinovich -- and could convince him to write a (Microsoft) Sysinternals GUI for this stuff.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now