• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 841
  • Last Modified:

Regaining Access to an Encrypted PST

Several workstations used to login to a domain, even though the domain controller had previously bit the dust many years ago. In the interim, they used a NAS that didn't require domain login, but accepted the access from those on and off the domain platform.

Recently, they installed a new server, which became the new Domain Controller, and used the same name used in the previous domain (company.local.) One by one, the workstations rejected the new DC and login to local accounts became impossible.
 
Through some efforts, the workstations were joined to the new DC and the old profiles were migrated to new ones- with one exception. The Outlook PST files were previously encrypted and migrating the file still will not grant access to import the data.
 
One workstation taken offsite managed to login to the old domain one last time and I was able to successfully export the PST without encryption, so I know it can be done. But once the workstatoins are joined to the NEW domain, is there any way to get access again?
 
I need to either: 1- Decrypt the data so that the PST files are accessible, or 2- Regain access to the profile so I can export the file safely.
 
Does anyone have any ideas?
0
sparkleinnovations
Asked:
sparkleinnovations
  • 5
  • 4
  • 2
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
how were they encrypted?? EFS ? password?
0
 
sparkleinnovationsAuthor Commented:
They were EFS encrypted, but without being able to log in to that profile, I don't know how to work around it. I have attempted to add/change ownership of the file(s) with no success.
0
 
David Johnson, CD, MVPOwnerCommented:
without a copy of the efs key.. these files are toast.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
sparkleinnovationsAuthor Commented:
New development that might make a difference...

I was able today to find and make the old Domain Controller boot. And, taking the new server off the network, I unjoined a workstation from the 'new' DC and joined it to the 'old' DC, but still could not boot into the previous profile to gain access to the encrypted PST.

Is there a way to force the workstation to login to a particular profile, if it is joined to the former DC?
0
 
David Johnson, CD, MVPOwnerCommented:
Your old dc should have a copy of the efs certificate in active directory and also a recovery agent setup in AD. That is if your company had followed best practices for EFS
0
 
Kernel_Recovery_ToolsCommented:
Hello Sparkleinnovations,


Please Make sure all things:

1. Log in as an adminstrator / having all permissions.
2. Version should be same.
3. Open your PST files using outlook:-
    3.1 Go to file
    3.2 Select Open
    3.3 Select .PST file to open.
4. If outlook opens the file without any error, it mean file are ok.

To decrypt file follow necessary steps:-

1. To decryypt the files and save without encryption
    Export  file  pst without any encryption.
2. Go to File -> Import and Export... -> Export to a file -> Personal Folder file
(.pst) > Choose the pst file in question > make sure to check the box
"Include subfolders" >
2.1 Browse for a destination folder and select "Allow duplicate items to be
created" ->rename the file  and select OK to Finish

3. A dialog box will be open that allows you to change some of your settings such
as the file title/name and encryption choices. Your choice should be No
encryption.
4. Save your files.

Hope this would be work.

Thanks
Kernel Recovery Tools
0
 
sparkleinnovationsAuthor Commented:
Thanks for the help & advice so far.

The problem now seems to be that I can no longer log in to the profile that owns the encrypted PST. And the Administrator profile login on the machine level AND on the domain cannot gain access without warnings.

Is there a way to force access to the PST without logging in as the profile who 'owns' it? And, if I can get access to the EFS certificate on the server (which I will try tomorrow) how would I use that to access the file without being logged in to that profile?
0
 
David Johnson, CD, MVPOwnerCommented:
was the efs key never exported and saved? also was no KRA set up in AD?
0
 
Kernel_Recovery_ToolsCommented:
Without login, i dont think it is possible.............
0
 
sparkleinnovationsAuthor Commented:
I cannot find a record of a backup certificate on the old server. However, I did find a *.ngn file inside a folder in ProgramData>CrypKey>Licenses....    Is that of any use?

Also, I was able to 'add' ownership of the encrypted files, but they still deny access when trying to open from Outlook, even in an Administrator profile.

Any more "Hail Marys" I could try before I bite this one?
0
 
sparkleinnovationsAuthor Commented:
Thanks for the suggestions, but after MANY hours of attempts, I finally had to give it up. There were no backups of the EFS certificate or recovery agent on the former DC.

I'm assigning the points to Ve3ofa for covering the bases and telling me it was pretty much hopeless from the beginning.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now