• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Recovering encrypted files after creating new SBS domain

We had a Windows 2003 SBS R2 server crash a few months ago, and setup a new server.  It has the same domain name as it had before, but since we were unable to restore AD as it is new hardware, all machine and user accounts had to be created.  Since we only had 16 of each, it didn't take long to do, but obviously it created new profiles on each machine as well.  One of the users had encrypted tax documents that he needs for tax season, but since he logs into a different profile although the domain\user is the same as before, he cannot decrypt the files.  The old profile is still on the machine, but there was no private key exported before the server crashed.  The files were encrypted using a domain account on the previous domain controller.  Since that domain controller is no longer live, is there a way to log into the previous cached profile on the XP Professional laptop to decrypt the files?  If the domain name had been different, it wouldn't be an issue to log into the machine with the cached profile, but that domain\user combination brings up the new profile.
0
MikieTimT
Asked:
MikieTimT
  • 4
  • 4
1 Solution
 
rindiCommented:
If the utility below can't help, you are probably out of luck:

http://www.elcomsoft.com/aefsdr.html
0
 
Michael-BestCommented:
Remove HDD, then
Via (IDE)ATA /SATA as a slave drive on an XP machine / set drive jumper to slave.
0
 
MikieTimTAuthor Commented:
I don't think that the tool above will help in this case.  From what I've read about EFS in a domain environment, the private key is stored on the domain controller rather than in the local filesystem, and that you cannot even access your encrypted files when offline.  Since the domain controller is what failed, the private key is no longer accessible unless XP somehow had something in the cached profile.  Can anyone confirm that there is no copy of the private key on the XP hard drive for offline use, or have I misunderstood?  If there is no private key available, are there any other options for recovering the files?
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
rindiCommented:
What failed on the original server? What about restoring a backup?
0
 
MikieTimTAuthor Commented:
The motherboard failed, and everything else was old enough that we couldn't justify buying a replacement motherboard.  So we couldn't do an AD restore on the new server that we purchased as a replacement, as the board in the new system was 2 generations newer than that of the old server.  So, we just restored the user files and mail and created everything new.
0
 
rindiCommented:
You could probably use the utility I linked to earlier if you either restore the complete backup of the old server to some other Box on the Disk you restore to. Or another option would be to use it to scan the disks of the old server if they still exist.
0
 
MikieTimTAuthor Commented:
Unfortunately, that server crashed several months back, so no backups remain from that old server, and the disks got formatted and put into other systems, so we're hosed there.  I read that the tool could go through deleted data, but a complete format likely creamed any chance of getting anything of the old server disks.
0
 
rindiCommented:
Then I'm afraid the encrypted data is lost.
0
 
MikieTimTAuthor Commented:
Actually, I ended up consulting Microsoft Professional Support, and after engaging an encryption support specialist, they had me try an internally developed tool, which required the path to the old profile as well as the password.  It then retrieved the old certificate into the current profile, and we were able to decrypt everything that was encrypted on that hard drive.  The file that was encrypted directly on a network drive on the old server was unfortunately not retrievable using the tool since the certificate would not have been accessible.  I appreciate your time in trying to help.  I thought I'd post the solution that worked for me for the benefit of other users.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now