Solved

Unable to access encrypted files on windows server with admin account

Posted on 2014-11-24
43
132 Views
Last Modified: 2015-03-02
I've been given an admin account in a windows server so I can setup a backup of essential files.

The software I am using failed on some file copies.
On checking the files they were green within explorer on the server and on clients. Therefore encrypted. Nobody needs them encrypted it appears to be an accident.
From the client machines I can access them (slowly) which I understand however how can I access them with the admin account?
As the client accounts can access them will untick encrypt the files on a clientschine work?
Thanks in advance
0
Comment
Question by:navjump
  • 21
  • 14
  • 7
  • +1
43 Comments
 
LVL 19

Accepted Solution

by:
n2fc earned 167 total points
ID: 40461625
If there is no need to encrypt them, you should undo this for speed and ease of recovery...

However your inability to access is more likely a permissions issue...

Make sure the permissions allow the appropriate access for administrators as well!
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40461865
Please read about the efs recovery agent procedures here, as EFS is what "greens" them.
http://technet.microsoft.com/en-us/library/cc512680.aspx
0
 

Author Comment

by:navjump
ID: 40461934
Thank you both

The permissions of the files are set to 'everyone' its just when locally accessing them with my admin account on the server I cannot which means I cannot decrypt them. Id rather not have to copy them somewhere over the network and copy them back. I'm hoping I can just decrypt from an account that has access.

I can view them from the client computers as mentioned.

McKnife are you thinking that each machine may have a key stored somewhere locally or this key may be on the server? I don't see how this makes it admin account specific, although I guess my admin account was added after this encryption happened.

I think someone was trying to compress a load of files to save space and they have confused encrypt with compress.
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40461970
Navjump: I agree with your hypothesis that someone confused encrypt with compress..
You probably should decrypt...

McKnife: Great article on EFS reference! Navjump can either remove the file from EFS or export /import the key as shown therein to solve the issue... But if recovery is the ultimate goal here and no business needs exist for EFS, best answer is probably to permanently decrypt!
0
 

Author Comment

by:navjump
ID: 40461980
OK if my admin account cannot decrypt, shall I just go ahead and decrypt from a client computer that does have access?
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40462032
That's the easiest...

As we said, the alternative is to export the certificate from a client & import to yours to allow your access...
0
 

Author Comment

by:navjump
ID: 40462148
So just to clarify, right click the file/folder > advanced and untick encrypt from a client machine on the network.
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 166 total points
ID: 40462154
if that client machine is logged in as the user it was encrypted with, then yes, do it that way
otherwise, use the recovery agent as mentioned earlier
just because you have full rights at the ntfs level doesn't bypass encryption
0
 

Author Comment

by:navjump
ID: 40462178
Sorry I am still puzzled by this.

I tested by picking a random client machine and accessing the shared drive and I was able to view the green files/folders. Does this mean I can decrypt from that machine or just view them?

My understanding is the recovery agent only allows to encrypt/decrypt an account added in for any new files, not the old files.

I don't now which account encrypted them
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40462403
The one that can read them may decrypt them. Open the properties of that file/folder and, behind the advanced button on the general tab, simply uncheck the box "encrypt contents..."
0
 

Author Comment

by:navjump
ID: 40465111
OK great that seems like good news as I was able to view them on a couple of client machines with users logged in. I am guessing these users are within the group that at the time was used to encrypt, but as I am a new admin user I am new to the user group used to encrypt.

Either way I will try this next site visit Friday and let you know how I get on.

Thanks
0
 

Author Comment

by:navjump
ID: 40470174
Hey guys

No success with this today sadly. It seems a lot of the files can't be viewed and therefore not decrypted from the client machines.

I am concerned if I change the main 'administrator' password so I can use that account it will effect the decryption? Will that happen?

I also am concerned if I use the other suggested ideas that I might stop this from ever being able to be decrypted.

I am currently trying to get the original administrator to decrypt.

I would be greatful for a step by step alternstive solution or pointing me to the relevant part of the document.

Thanks for your ongoing help and patience
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40470182
Changing a password will NOT stop EFS from working, you will be able to decrypt as long as you are able to read the data. As you could read, "by default, the administrator account is the data recovery agent" and will be able to read those files.
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40470402
The encryption/decryption mechanism for EFS is a certificate stored in each user's certificate database...

So long as that database remains accessible, there should be no issues!
0
 

Author Comment

by:navjump
ID: 40470669
OK so when I access on either my admin account or from a client logged in on their machine it just says 'administrator access required' So sound for sure like I need to use the main admin account.

I think I'll try and get it from the old admin who has not been very helpful, but you think ok to use my admin account to change the main administrator password and just do it that way?

I was just trying to be tactful and not change that account password.
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40470696
Kinda what I was alluding to...
if you change the password, you MIGHT lose access to that certificate database!

It depends on that account's encryption settings...
0
 

Author Comment

by:navjump
ID: 40470701
So my best bet is to obtain the original admin password?

Seems unusual with passwords that are set to expire after X number of days though. I guess encryption is designed to not be easy to decrypt though.
0
 

Author Comment

by:navjump
ID: 40470703
No way to find out which account encrypted them?
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40470705
See the following article...
it may or may not apply to your case, but I would NOT be so quick as to force change that password!

http://support.microsoft.com/kb/290260
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40470715
A user can change his OWN password with impunity...

BUT force changing of ANOTHER account by an admin can lose access to the certificates...

My earlier recommendation stands...

Logon to any account that can read the file and EXPORT the certificate from THAT account...

You can then IMPORT  that certificate to ANY other account to gain the same access!
0
 

Author Comment

by:navjump
ID: 40470722
Yeah, the problem I am having is it's not consistent. The user I tried last week has access to a few of the files (hardly any), but the account I tried today had access to none. So I tried the account for last week to be sure and confirmed very little access.

Are the users manually given the certificate at the time of encryption or is that automatically created?

I have no consistency and nobody remembers doing this so it was an accidental encryption which could have been by any user and not necessarily one still part of the office as from what I can tell this has been neglected a while.

So if I can log on to the proper original administrator account without me having to change the password is that currently my best bet?

Thanks

John
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 53

Expert Comment

by:McKnife
ID: 40470750
Changing a password of another account will never prevent that other account from accessing his certificates - where did you read that, nfc?
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40470767
1) McKnife:  I posted link to reference... as I said, this issue MIGHT apply, but risky, so I would change password ONLY as LAST resort...

2) Best bet is to GET THE PASSWORD!

3) John: Still not sure WHY you won't try to export the certificates...  Harmless to do, and will let you know what (further) options you might try!

How-to link here: http://windows.microsoft.com/en-us/windows/back-up-efs-certificate#1TC=windows-7


4) Certificates are auto-generated...  Article on how they are generated and used here:
http://technet.microsoft.com/en-us/library/cc962103.aspx
0
 

Author Comment

by:navjump
ID: 40470774
Im happy to export the certificates but I don't really have one that is allowing access to all the files so seemed a bit futile.

Admin account seems best bet

I'll give it a go

Thank you for the advice I'll keep you posted.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40470780
I see. This ( http://support.microsoft.com/kb/290260 ) is true for local accounts, not for domain accounts, if I am not mistaken. navjump, is this a domain account or a local one?
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40470789
Yet another article describing recovery issues for encrypted files...

Worth reading!

http://blogs.interfacett.com/windows-7-how-to-use-cipher-exe-a-critical-win-7-security-tool

It describes the cipher.exe tool (NTFS EFS tool) as well as the various certificate option & issues as well as setting up the "recovery agent" for EFS...
0
 

Author Comment

by:navjump
ID: 40470828
Sidenote:

This isn't likely to be a crypto locker virus?

I've seen that before but not turning files 'green' so I'm girding unlikely
0
 

Author Comment

by:navjump
ID: 40470829
*guessing
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40471070
Yes... unlikely... they encrypt (but NOT with EFS)... and demand a ransom to decrypt...
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40471573
Again: is this a domain user account or a local one?
0
 

Author Comment

by:navjump
ID: 40471652
Domain user
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40471656
Then I don't think changing the password would hurt. But you should look that up or better stage it in a test environment.
0
 

Author Comment

by:navjump
ID: 40471658
I found this last night

http://blogs.msdn.com/b/asklar/archive/2012/05/03/why-do-zip-files-from-mac-os-show-up-as-green-encrypted.aspx

It's explaining an issue where a zip file created on a Mac and unzipped on windows marks the files as encrypted. About 50% of the users are Mac users. Although the untick ing obviously doesn't work
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40471681
Apple was never known for "playing nice with others"...

They demand all others defer to THEIR way or the highway!
0
 

Author Comment

by:navjump
ID: 40480238
Right so the previous admin is unable to provide the original administrator password.

I'm going to change the admin password and test tomorrow.

I'm also getting frustrated with waiting s week to do anything so will get teamviewer installed for remote access and get this nailed with your help.
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40480505
Again, I STRONGLY urge you to TRY import/export of certificates from a user who can read the file(s) BEFORE changing that password!
0
 

Author Comment

by:navjump
ID: 40480550
OK

As I've said I'm not having any luck with users that can open them at all.

I'm going to use the EFS info tool to try and find out which account encrypted them as a first step.
0
 

Author Comment

by:navjump
ID: 40485369
OK EFS info tool provides no info on these files/doesnt work - its as if they don't exist.

Administrator account does not allow access to them either

It's like they have been encrypted elsewhere which leads me back to the mac unzipping issue.

A large chunk of the files have the mac_os prefix in them which is suggestive of this. However, they can't be unticked you get the standard encrypted file message which just asks for admin permission and then fails.

I'm at a point where I should right these files off I think, its about 450 files a very small chunk in the scheme of things and nobody has had access to these for a long time.
0
 

Author Comment

by:navjump
ID: 40485393
OK a little bit more digging.

Tried to use EFSinfo tool sI said and useless, but if I simply go to the advanced tab in the properties and then 'details' next to the file. It says "users who can access this file and a name. The name doesn't seem to be our domain account format its actually first name / last name.

A few random file checks show different users for different files which is concerning. Still not sure why this has happened.

If I try to add a user who can decrypt the file. I get a list of 2 users who are other users on the network. Very odd. I can't add any of them though as I get an error message saying I don't have access to do it. I am guessing because I am using my admin account rather than the account named in the top box saying who has access.

So, is my best bet to go through each file and just identify who has access to each file and then get them to decrypt them?

You mentioned how I can add the certificates for the user to my admin account I am still puzzled by this process.

Do I take the certificate from the users local/client machine running windows 7, then return to my server and add the certificate in there under my login account? This way I can just decrypt them all rather then getting them to identify and decrypt each file?

Thanks again for your patience, I am mildly dyslexic so I hope you can appreciate things take me a little longer than most.
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40485437
In a previous reply I supplied a link to the export/import process...

All you need do is export the certificate from a user who CAN access the file and then import it  to another user who would like to enjoy the same usage.
0
 

Author Comment

by:navjump
ID: 40485458
Thanks again n2fc

just to clarify though I am doing this export from the local users computer which is where the certificate should be held, rather than the server?
0
 
LVL 19

Expert Comment

by:n2fc
ID: 40485603
Yes
0
 

Author Comment

by:navjump
ID: 40639209
Hi guys, sorry for the delay on this.

I got no further with this and it appears that the encrypted files all have a mac origin so I think this is related to the windows issue that it encrypts files that were zipped on a mac and unzipped on windows.

Thankyou all for your help, the encrypted files number hasnt increased but it is a shame we cant access the old files.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now