Unable to access encrypted files on windows server with admin account

I've been given an admin account in a windows server so I can setup a backup of essential files.

The software I am using failed on some file copies.
On checking the files they were green within explorer on the server and on clients. Therefore encrypted. Nobody needs them encrypted it appears to be an accident.
From the client machines I can access them (slowly) which I understand however how can I access them with the admin account?
As the client accounts can access them will untick encrypt the files on a clientschine work?
Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If there is no need to encrypt them, you should undo this for speed and ease of recovery...

However your inability to access is more likely a permissions issue...

Make sure the permissions allow the appropriate access for administrators as well!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Please read about the efs recovery agent procedures here, as EFS is what "greens" them.
navjumpAuthor Commented:
Thank you both

The permissions of the files are set to 'everyone' its just when locally accessing them with my admin account on the server I cannot which means I cannot decrypt them. Id rather not have to copy them somewhere over the network and copy them back. I'm hoping I can just decrypt from an account that has access.

I can view them from the client computers as mentioned.

McKnife are you thinking that each machine may have a key stored somewhere locally or this key may be on the server? I don't see how this makes it admin account specific, although I guess my admin account was added after this encryption happened.

I think someone was trying to compress a load of files to save space and they have confused encrypt with compress.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Navjump: I agree with your hypothesis that someone confused encrypt with compress..
You probably should decrypt...

McKnife: Great article on EFS reference! Navjump can either remove the file from EFS or export /import the key as shown therein to solve the issue... But if recovery is the ultimate goal here and no business needs exist for EFS, best answer is probably to permanently decrypt!
navjumpAuthor Commented:
OK if my admin account cannot decrypt, shall I just go ahead and decrypt from a client computer that does have access?
That's the easiest...

As we said, the alternative is to export the certificate from a client & import to yours to allow your access...
navjumpAuthor Commented:
So just to clarify, right click the file/folder > advanced and untick encrypt from a client machine on the network.
Seth SimmonsSr. Systems AdministratorCommented:
if that client machine is logged in as the user it was encrypted with, then yes, do it that way
otherwise, use the recovery agent as mentioned earlier
just because you have full rights at the ntfs level doesn't bypass encryption
navjumpAuthor Commented:
Sorry I am still puzzled by this.

I tested by picking a random client machine and accessing the shared drive and I was able to view the green files/folders. Does this mean I can decrypt from that machine or just view them?

My understanding is the recovery agent only allows to encrypt/decrypt an account added in for any new files, not the old files.

I don't now which account encrypted them
The one that can read them may decrypt them. Open the properties of that file/folder and, behind the advanced button on the general tab, simply uncheck the box "encrypt contents..."
navjumpAuthor Commented:
OK great that seems like good news as I was able to view them on a couple of client machines with users logged in. I am guessing these users are within the group that at the time was used to encrypt, but as I am a new admin user I am new to the user group used to encrypt.

Either way I will try this next site visit Friday and let you know how I get on.

navjumpAuthor Commented:
Hey guys

No success with this today sadly. It seems a lot of the files can't be viewed and therefore not decrypted from the client machines.

I am concerned if I change the main 'administrator' password so I can use that account it will effect the decryption? Will that happen?

I also am concerned if I use the other suggested ideas that I might stop this from ever being able to be decrypted.

I am currently trying to get the original administrator to decrypt.

I would be greatful for a step by step alternstive solution or pointing me to the relevant part of the document.

Thanks for your ongoing help and patience
Changing a password will NOT stop EFS from working, you will be able to decrypt as long as you are able to read the data. As you could read, "by default, the administrator account is the data recovery agent" and will be able to read those files.
The encryption/decryption mechanism for EFS is a certificate stored in each user's certificate database...

So long as that database remains accessible, there should be no issues!
navjumpAuthor Commented:
OK so when I access on either my admin account or from a client logged in on their machine it just says 'administrator access required' So sound for sure like I need to use the main admin account.

I think I'll try and get it from the old admin who has not been very helpful, but you think ok to use my admin account to change the main administrator password and just do it that way?

I was just trying to be tactful and not change that account password.
Kinda what I was alluding to...
if you change the password, you MIGHT lose access to that certificate database!

It depends on that account's encryption settings...
navjumpAuthor Commented:
So my best bet is to obtain the original admin password?

Seems unusual with passwords that are set to expire after X number of days though. I guess encryption is designed to not be easy to decrypt though.
navjumpAuthor Commented:
No way to find out which account encrypted them?
See the following article...
it may or may not apply to your case, but I would NOT be so quick as to force change that password!

A user can change his OWN password with impunity...

BUT force changing of ANOTHER account by an admin can lose access to the certificates...

My earlier recommendation stands...

Logon to any account that can read the file and EXPORT the certificate from THAT account...

You can then IMPORT  that certificate to ANY other account to gain the same access!
navjumpAuthor Commented:
Yeah, the problem I am having is it's not consistent. The user I tried last week has access to a few of the files (hardly any), but the account I tried today had access to none. So I tried the account for last week to be sure and confirmed very little access.

Are the users manually given the certificate at the time of encryption or is that automatically created?

I have no consistency and nobody remembers doing this so it was an accidental encryption which could have been by any user and not necessarily one still part of the office as from what I can tell this has been neglected a while.

So if I can log on to the proper original administrator account without me having to change the password is that currently my best bet?


Changing a password of another account will never prevent that other account from accessing his certificates - where did you read that, nfc?
1) McKnife:  I posted link to reference... as I said, this issue MIGHT apply, but risky, so I would change password ONLY as LAST resort...

2) Best bet is to GET THE PASSWORD!

3) John: Still not sure WHY you won't try to export the certificates...  Harmless to do, and will let you know what (further) options you might try!

How-to link here: http://windows.microsoft.com/en-us/windows/back-up-efs-certificate#1TC=windows-7

4) Certificates are auto-generated...  Article on how they are generated and used here:
navjumpAuthor Commented:
Im happy to export the certificates but I don't really have one that is allowing access to all the files so seemed a bit futile.

Admin account seems best bet

I'll give it a go

Thank you for the advice I'll keep you posted.
I see. This ( http://support.microsoft.com/kb/290260 ) is true for local accounts, not for domain accounts, if I am not mistaken. navjump, is this a domain account or a local one?
Yet another article describing recovery issues for encrypted files...

Worth reading!


It describes the cipher.exe tool (NTFS EFS tool) as well as the various certificate option & issues as well as setting up the "recovery agent" for EFS...
navjumpAuthor Commented:

This isn't likely to be a crypto locker virus?

I've seen that before but not turning files 'green' so I'm girding unlikely
navjumpAuthor Commented:
Yes... unlikely... they encrypt (but NOT with EFS)... and demand a ransom to decrypt...
Again: is this a domain user account or a local one?
navjumpAuthor Commented:
Domain user
Then I don't think changing the password would hurt. But you should look that up or better stage it in a test environment.
navjumpAuthor Commented:
I found this last night


It's explaining an issue where a zip file created on a Mac and unzipped on windows marks the files as encrypted. About 50% of the users are Mac users. Although the untick ing obviously doesn't work
Apple was never known for "playing nice with others"...

They demand all others defer to THEIR way or the highway!
navjumpAuthor Commented:
Right so the previous admin is unable to provide the original administrator password.

I'm going to change the admin password and test tomorrow.

I'm also getting frustrated with waiting s week to do anything so will get teamviewer installed for remote access and get this nailed with your help.
Again, I STRONGLY urge you to TRY import/export of certificates from a user who can read the file(s) BEFORE changing that password!
navjumpAuthor Commented:

As I've said I'm not having any luck with users that can open them at all.

I'm going to use the EFS info tool to try and find out which account encrypted them as a first step.
navjumpAuthor Commented:
OK EFS info tool provides no info on these files/doesnt work - its as if they don't exist.

Administrator account does not allow access to them either

It's like they have been encrypted elsewhere which leads me back to the mac unzipping issue.

A large chunk of the files have the mac_os prefix in them which is suggestive of this. However, they can't be unticked you get the standard encrypted file message which just asks for admin permission and then fails.

I'm at a point where I should right these files off I think, its about 450 files a very small chunk in the scheme of things and nobody has had access to these for a long time.
navjumpAuthor Commented:
OK a little bit more digging.

Tried to use EFSinfo tool sI said and useless, but if I simply go to the advanced tab in the properties and then 'details' next to the file. It says "users who can access this file and a name. The name doesn't seem to be our domain account format its actually first name / last name.

A few random file checks show different users for different files which is concerning. Still not sure why this has happened.

If I try to add a user who can decrypt the file. I get a list of 2 users who are other users on the network. Very odd. I can't add any of them though as I get an error message saying I don't have access to do it. I am guessing because I am using my admin account rather than the account named in the top box saying who has access.

So, is my best bet to go through each file and just identify who has access to each file and then get them to decrypt them?

You mentioned how I can add the certificates for the user to my admin account I am still puzzled by this process.

Do I take the certificate from the users local/client machine running windows 7, then return to my server and add the certificate in there under my login account? This way I can just decrypt them all rather then getting them to identify and decrypt each file?

Thanks again for your patience, I am mildly dyslexic so I hope you can appreciate things take me a little longer than most.
In a previous reply I supplied a link to the export/import process...

All you need do is export the certificate from a user who CAN access the file and then import it  to another user who would like to enjoy the same usage.
navjumpAuthor Commented:
Thanks again n2fc

just to clarify though I am doing this export from the local users computer which is where the certificate should be held, rather than the server?
navjumpAuthor Commented:
Hi guys, sorry for the delay on this.

I got no further with this and it appears that the encrypted files all have a mac origin so I think this is related to the windows issue that it encrypts files that were zipped on a mac and unzipped on windows.

Thankyou all for your help, the encrypted files number hasnt increased but it is a shame we cant access the old files.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.