How to decrypt windows files

Posted on 2012-08-29
Last Modified: 2012-09-23
Hello experts
I have a small issue with encrypted files. The problem stems from Windows 7 64 bit expanding Mac zip files. The expanded folder structure is encrypted. When I run a file replication job from backup assist on the Windows 2008 R2 server I get a stream of errors advising access was denied when trying to replicate the files to a Nas box. I know the user who did the original extraction could decrypt the files but with so many Mac files coming in I need to be able to perform the decryption on the server rather than bother users with the decryption process. If I try to manually decrypt the folders I receive access denied message

Does anyone have any ideas what needs to be done to allow the domain admin to decrypt the files, or if this is even possible

thanks in advance for your help
Question by:Amiga-2000
    LVL 6

    Expert Comment

    What is the mechanism being used to encrypt them?

    Author Comment

    The built in Windows NTFS encryption
    LVL 6

    Expert Comment

    There's good news for you, then.  I was worried when you started mentioning Mac that is was something being encrypted on Mac clients before being put ont he server.

    For NTFS Encrypting Filesystem, you can edit the default domain policy in GPMC to add something called an EFS Recovery certificate.  This is for exactly what you want -- to allow one or more users to decrypt any file encrypted in the network.  Here's an article for how to do it:

    Data Recovery and Encrypting File System (EFS)

    Best Practices for Encrypting File System
    LVL 6

    Accepted Solution

    And here is a step-by-step:

    . Recovery agents are users who can recovery encrypted files for a domain. To add new users as recovery agents they must first have recovery certificates issued by the enterprise CA structure (a local certificate granted by the Administrator is no use).
     1.Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
    2.Right click on the domain and select Properties
    3.Select 'Group Policy' tab
    4.Select the 'Default Domain Policy' and click Edit
    5.Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
    6.Right click 'Encrypted Data Recovery Agents' and select Add
    7.Click Next to the 'Add Recovery Agent Wizard'
    8.Click 'Browse Directory'. Locate the user and click OK
    9.Click Next to the agent dialog select
    10.Click Finish to the confirmation
    11.Close the Group Policy Editor

    This was pulled from:

    Author Comment

    THanks page1985.  Will give that a go
    LVL 33

    Expert Comment

    by:Dave Howe
    Note that recovery agents can't be automatically added after-the-fact - so only new files created by those users will have the new keyset.

    You would need to unsecure and resecure each file in (as the original user) in order to get the benefit.

    Note also though that EFS protected files moved *by the original user* to FAT storage (or zipfile, or anything that isn't another NTFS volume) are automagically unprotected - so perhaps there is a solution there?
    LVL 59

    Expert Comment

    I've requested that this question be closed as follows:

    Accepted answer: 168 points for page1985's comment #a38348473
    Assisted answer: 166 points for page1985's comment #a38348475
    Assisted answer: 166 points for DaveHowe's comment #a38349204

    for the following reason:

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Author Comment

    Sorry, page1985, was distracted on different issues.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
    The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now