Link to home
Start Free TrialLog in
Avatar of gmit
gmit

asked on

EFS files can't be decrypted after AD installation on Win2003 server

On a Win2003 server EFS works fine from local admin or local user accounts.

AD is now activated.  Now only a domain login is shown.  Machine works OK.  Didn't check EFS decryption (oops!) Admin password is changed (not reset).

Now EFS encrypted files can't be decrypted by using Win Explorer or by launching to an application.  Cipher.exe shows [ERR] when trying to decrypt these files

In Computer Management/Certificates (local computer)/Trusted People/Certificates I see a cert for EFS for the Administrator from before the AD activation and one from after AD activation.  I presume that AD switched certificates for EFS leaving me no way to decrypt the files encrypted with the old dert.

Any suggestions on how to decrypt these files so they can be reencrypted with the current account?
Avatar of Tony Massa
Tony Massa
Flag of United States of America image
By default, a workstation's or member server's recovery agent is the default Administrator account. By "default Administrator account," Microsoft means the Administrator account you created when you installed Win2K, not any other member of the local Administrators account.
http://www.windowsitpro.com/Articles/ArticleID/15907/15907.html?Ad=1
  "On a domain, the default recovery agent is the default Administrator for the computer that was the first domain controller installed for that domainin other words, the first server that you ran Dcpromo for when you created the domain"

Here are a few Articles that should clarify what happens when a domain is created:

http://www.microsoft.com/technet/security/guidance/serversecurity/administratoraccounts/aapgch02.mspx
http://support.microsoft.com/kb/241201

-TM
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image
Hi!

Just an idea, boot in to Directory Service Restore Mode, change password of DSRM administrator to password which you were using as local administrator and try to decrypt files. Let me know if it works.

Toni
Avatar of gmit
gmit

ASKER

Some more info ...

I had ignored the DSRM possibility because it didn't allow login with the previous administrator password.  It is possible that this is because the previous password didn't meet the password quality currently set in the domain.  Looks like this deserves another try after reducing the domain password requirements.

Using EFSINFO.exe (from the MS Win Support Tools) indicates that the thumbprint of the required EFS cert is in fact the older Administrator cert which can be seen via
computer management/certs/trusted people/certs
Moving this to cert to  certs/trusted root/certs  didn't allow CIPHER.exe or Win Explorer to decrypt the file however.  

Looks like I guessed wrong on how to activate the old EFS cert.  Any suggestions on that?
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image
If you can export old certificate, try to import it to another user account and try again?
Avatar of gmit
gmit

ASKER

Good idea.  This led to the discovery that the EFS certificate that I need may have a missing private key.  When viewing the certificate I see "You have a private key that corresponds to this certificate"  but when attempting to export "the associated private key cannot be found".  

I will look at a tape backup -- unfortunately this machine didn't have EFS certs exported before the domain installation.
ASKER CERTIFIED SOLUTION
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gmit
gmit

ASKER

Here FYI is what did and din't work.

After installing a domain a  Win 2003 server doesn't decrypt files. What a pain EFS is!  Here is what doesn't work:

1.  Trying to log in with the current Administrator password using a boot to DSRM (no private key available for EFS cert) and with old password (didn't conform to domain's password complexity requirement) after reducing complexity requirement the login still didn't work.

2.  Attempting to export the Administrator EFS cert with the proper thumbprint and importing it to another user's account (private key still not accessible even though the general screen of cert indicated that there was an accessible private key).

3.  Try decrypting the files with all other user accounts on the server.

Here is what I ended up doing...

1. Use EFSINFO (from Win support tools) to figure out what thumbrpint of EFS certificate is for encrypted files.
2. Look at mmc/computer management/certificates and discover that the cert that I need has no private key.  This is because when a domain is installed on 2003 server the private keys for existing certs are deleted (nice).
3. On a fresh hard drive install Server 2003 from CD.
4. From a tape backup done prior to the domain installation recover C: then recover the system state.  Note, it is necessary to initialize the OS with MS before logging off.  In this case that meant doing it on the phone to India since I couldn't get out of the initialize screen to set up the network adapter.
5. Export EFS cert and private key, import them to sick server.
6. Decrypt files using
CIPHER /D /S:m:\ /A > decrypt_m_log.txt
look out for lines in the log file that contain "[ERR]" indicating that there is a problem with decryption.

It sure would be nice to have a EFS management utility that could simplify all of this.  Hey, maybe somebody that knows Mark Russinovich -- and could convince him to write a (Microsoft) Sysinternals GUI for this stuff.