EFS Encrypted File System Question Windows 2003 AD

I'm allowing EFS for certain users on our network. I'm wondering if the person leaves the company, would the files still be accessible to that username after a password change via the Active Directory Users and Computers tool.

Example.

Bob gets fired....I.T. staff does not have his password.  The Domain Admin changes his password so he can logon as bob and view all of his files....are EFS files still going to be viewable by that account or does that invalidate the certificate?

Yes I know I can use the Domain Admin account to decrypt the files but sometimes we like to just rename an account to the new user who inherits a position.

I could setup a test user account but it's less work usually just to ask the EE community.

Thanks - Spyder

Open in new window

spyder357Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BrughCommented:
As with many MS Protocols, its apparantly hit or miss... hehe

Taken from Technet.
http://technet.microsoft.com/en-us/library/bb457065.aspx

"Resetting Local Passwords on Windows XP
Windows XP has new behavior regarding locally changed passwords and EFS. In Windows 2000, when a local user password was reset by an administrator, the administrator or third party could theoretically use the newly changed account to log on as the user and decrypt the encrypted files. In Windows XP, the changing of a local user password by an administrator, or through a method other than by the user, will block all access to previously encrypted files by the user.

In summary, the profile and keys of the user will be lost and will not be available to the account with the reset password. Windows XP gives the following warning when attempting to reset a user account password:

Warning Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the user's password is reset.

This feature helps to guard against offline attacks and prevents rogue administrators from gaining access to encrypted files of other users. "

hth
 - brugh


0
spyder357Author Commented:
Now thats will local users....I'm talking about on domain accounts.

0
David Johnson, CD, MVPOwnerCommented:
disable the account while the employee is being terminated.. then use the domain administrator account to decrypt the files .. check out this link for a simple explanation https://confluence.cornell.edu/display/FSCNS/EFS+-+Encrypted+File+System
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

spyder357Author Commented:
I thiink everyone here is missing the point of the question.

I need to know if I, the admin, can change someone's password via AD and view their encrypted files while logged on as that user (with the new password).  

Thanks - Spyder
0
David Johnson, CD, MVPOwnerCommented:
YOu have to recover the files to an unencrypted state using the recovery agent (domain admin account) if you change the password the 'new user' as far as EFS is concerned cannot read the files, only the original user or the recovery agent can decrypt the files.  This is why you get the warning when you change the users password. Users are stored as 5-1-xxx-xxxx and not by name and changes to the user account will change the 5-1-xxx-xxx to something new.

it is poor policy to just change the password on employee termination.. one disables the account until a new user needs the account then you change the 'user info' fields then re-enable the account and set the password to 'user must change password on next logon'

I repeat once the password has been changed then the previous user cannot access the files but a domain admin can recover the files using the recovery agent.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
top_gizmoCommented:
1.  If you change the password and are using the SAME user account on the SAME computer, YES you can read the files.  The files were encrypted using a private key that was generated on that computer under that logon.  This is not a good practice.  If a user 'accidentally' deletes his private key - yes I have seen this done dozens of times, you will not be able to recover the files without a Recovery Agent.

2.  You do need to establish a recovery agent NOW.  You can not import the recover agents key into the users encrypted files after they delete their private key.  You must import the Recover Agent certificate into your GPO and run the cipher /u command in a logon script to update the users encrypted files with the RA certificate.

3.   User the cipher /r command to create your own certificates.  It will create two certificates, one is your public key that is imported into the GPO the other is the private key that you secure offline... I say again.. OFFLINE, in a secure place.  I actually have three keys in case any get compromised.

Here are some links to get you started:

http://articles.techrepublic.com.com/5100-6329_11-5034476.html

http://support.microsoft.com/kb/887414
0
spyder357Author Commented:
Actually the certs are not on the local computer.  We run a (microsoft) certificate infrastructure (for VPN, wireless, EFS, webmail,etc).  The recovery agent is the domain administrator account along with my Domain Admin account.  All keys are stored on the server and active directory.  





0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.