?
Solved

Encrypted files after dcpromo

Posted on 2008-10-15
9
Medium Priority
?
388 Views
Last Modified: 2013-12-05
Encrypted files after DCPROMO


Hi experts we have recently performed a  DCPromo on a legacy server. The server is a Windows 2000 with SP4 , the server held all of the FSMO roles and these have been moved to a Windows 2003 server.

The DCPROMO itself seemed fine,  but a two days after the DCPROMO  a user mentioned that they could not connect to a file share that was on the old DC.

Upon investigation we found that the user has put encryption on the directory, thus not allowing us to copy, open, un-encrypt . We have the default recovery policy and I have logged in as Administrator.



Is there a way I can un-encrypt the files ?
How do I find out what Key Encrypted the files ?
Why would DCPROMO cause this issue ?  

0
Comment
Question by:mallyon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
9 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1000 total points
ID: 22728796
If the files are on a domain and have been encrypted with a domain account then by default the "administrator" (note THE Administrator - not a member of the administrators group), has the Data Recovery Agen key and can unencrypt the files.

If its not on a domain or a local account as used to encrypt the files there there is no recovery agent bey default.

Encryption is very good - if there is no recovery agent and the user has lost their certificate (a common cause is the resetting of a password - note RESETTING, not changing), then chances of recovery are small which is why there is strong advice to backup the certificates. There is a utility called Elcomsoft EFS which claimes to be able to recover encrypted files but it is unproven - I have yet to find anyone who says it has worked see http://www.elcomsoft.com/aefsdr.html if you want to give it a try.

0
 
LVL 4

Expert Comment

by:pistolslapper
ID: 22729232
I have only heard this and not tried it, but you could try copying the encrypted files to a disk formatted wth a fat32 partition. Someone told me once this can get you out of a jam using windows encryption.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22729307
@@ pistolslapper
NO that does not work - whoever told you did not know what they were takling about
If it did work it would be a serious security flaw and render encryption useless ... in order to move an encrypted file to a FAT drive it has to be decrypted - and you can only do that if you have the certificate.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 4

Expert Comment

by:pistolslapper
ID: 22729390
Thanks for the clarification KCTS.

0
 

Author Comment

by:mallyon
ID: 22733247
Hi Experts

WI think I found the killer line in http://support.microsoft.com/kb/241201 
"the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent. " 

"first" being the killer  

So is my only course of action to restore the domain controler ?  
0
 
LVL 2

Expert Comment

by:CEORACE
ID: 22734129
No, there is a program available.  I will research and get back to you
0
 
LVL 2

Expert Comment

by:CEORACE
ID: 22734163
If the files are important enough, ELCOMSOFT (elcomsoft.com) makes a program that recovers encrypted files.  I made the same mistake once and had to use it.  It recovered all my files.  All the permissions, etc are lost, but the files were fine.  I don't recall, but I think I had to reset the read only flag on all of them, but small price to pay.

I looked on their website, and it is 149 for the standard edition.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question