• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2482
  • Last Modified:

How to decrypt windows files

Hello experts
I have a small issue with encrypted files. The problem stems from Windows 7 64 bit expanding Mac zip files. The expanded folder structure is encrypted. When I run a file replication job from backup assist on the Windows 2008 R2 server I get a stream of errors advising access was denied when trying to replicate the files to a Nas box. I know the user who did the original extraction could decrypt the files but with so many Mac files coming in I need to be able to perform the decryption on the server rather than bother users with the decryption process. If I try to manually decrypt the folders I receive access denied message

Does anyone have any ideas what needs to be done to allow the domain admin to decrypt the files, or if this is even possible

thanks in advance for your help
1 Solution
What is the mechanism being used to encrypt them?
Amiga-2000Author Commented:
The built in Windows NTFS encryption
There's good news for you, then.  I was worried when you started mentioning Mac that is was something being encrypted on Mac clients before being put ont he server.

For NTFS Encrypting Filesystem, you can edit the default domain policy in GPMC to add something called an EFS Recovery certificate.  This is for exactly what you want -- to allow one or more users to decrypt any file encrypted in the network.  Here's an article for how to do it:

Data Recovery and Encrypting File System (EFS)

Best Practices for Encrypting File System
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

And here is a step-by-step:

. Recovery agents are users who can recovery encrypted files for a domain. To add new users as recovery agents they must first have recovery certificates issued by the enterprise CA structure (a local certificate granted by the Administrator is no use).
 1.Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
2.Right click on the domain and select Properties
3.Select 'Group Policy' tab
4.Select the 'Default Domain Policy' and click Edit
5.Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
6.Right click 'Encrypted Data Recovery Agents' and select Add
7.Click Next to the 'Add Recovery Agent Wizard'
8.Click 'Browse Directory'. Locate the user and click OK
9.Click Next to the agent dialog select
10.Click Finish to the confirmation
11.Close the Group Policy Editor

This was pulled from:
Amiga-2000Author Commented:
THanks page1985.  Will give that a go
Dave HoweCommented:
Note that recovery agents can't be automatically added after-the-fact - so only new files created by those users will have the new keyset.

You would need to unsecure and resecure each file in (as the original user) in order to get the benefit.

Note also though that EFS protected files moved *by the original user* to FAT storage (or zipfile, or anything that isn't another NTFS volume) are automagically unprotected - so perhaps there is a solution there?
I've requested that this question be closed as follows:

Accepted answer: 168 points for page1985's comment #a38348473
Assisted answer: 166 points for page1985's comment #a38348475
Assisted answer: 166 points for DaveHowe's comment #a38349204

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Amiga-2000Author Commented:
Sorry, page1985, was distracted on different issues.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now