Unable to access encrypted files on windows server with admin account

Thank you both

The permissions of the files are set to 'everyone' its just when locally accessing them with my admin account on the server I cannot which means I cannot decrypt them. Id rather not have to copy them somewhere over the network and copy them back. I'm hoping I can just decrypt from an account that has access.

I can view them from the client computers as mentioned.

McKnife are you thinking that each machine may have a key stored somewhere locally or this key may be on the server? I don't see how this makes it admin account specific, although I guess my admin account was added after this encryption happened.

I think someone was trying to compress a load of files to save space and they have confused encrypt with compress.

Navjump: I agree with your hypothesis that someone confused encrypt with compress..
You probably should decrypt...

McKnife: Great article on EFS reference! Navjump can either remove the file from EFS or export /import the key as shown therein to solve the issue... But if recovery is the ultimate goal here and no business needs exist for EFS, best answer is probably to permanently decrypt!

OK if my admin account cannot decrypt, shall I just go ahead and decrypt from a client computer that does have access?

That's the easiest...

As we said, the alternative is to export the certificate from a client & import to yours to allow your access...

So just to clarify, right click the file/folder > advanced and untick encrypt from a client machine on the network.

Sorry I am still puzzled by this.

I tested by picking a random client machine and accessing the shared drive and I was able to view the green files/folders. Does this mean I can decrypt from that machine or just view them?

My understanding is the recovery agent only allows to encrypt/decrypt an account added in for any new files, not the old files.

I don't now which account encrypted them

The one that can read them may decrypt them. Open the properties of that file/folder and, behind the advanced button on the general tab, simply uncheck the box "encrypt contents..."

OK great that seems like good news as I was able to view them on a couple of client machines with users logged in. I am guessing these users are within the group that at the time was used to encrypt, but as I am a new admin user I am new to the user group used to encrypt.

Either way I will try this next site visit Friday and let you know how I get on.

Thanks

Hey guys

No success with this today sadly. It seems a lot of the files can't be viewed and therefore not decrypted from the client machines.

I am concerned if I change the main 'administrator' password so I can use that account it will effect the decryption? Will that happen?

I also am concerned if I use the other suggested ideas that I might stop this from ever being able to be decrypted.

I am currently trying to get the original administrator to decrypt.

I would be greatful for a step by step alternstive solution or pointing me to the relevant part of the document.

Thanks for your ongoing help and patience

Changing a password will NOT stop EFS from working, you will be able to decrypt as long as you are able to read the data. As you could read, "by default, the administrator account is the data recovery agent" and will be able to read those files.

The encryption/decryption mechanism for EFS is a certificate stored in each user's certificate database...

So long as that database remains accessible, there should be no issues!

OK so when I access on either my admin account or from a client logged in on their machine it just says 'administrator access required' So sound for sure like I need to use the main admin account.

I think I'll try and get it from the old admin who has not been very helpful, but you think ok to use my admin account to change the main administrator password and just do it that way?

I was just trying to be tactful and not change that account password.

Kinda what I was alluding to...
if you change the password, you MIGHT lose access to that certificate database!

It depends on that account's encryption settings...

So my best bet is to obtain the original admin password?

Seems unusual with passwords that are set to expire after X number of days though. I guess encryption is designed to not be easy to decrypt though.

No way to find out which account encrypted them?

See the following article...
it may or may not apply to your case, but I would NOT be so quick as to force change that password!

http://support.microsoft.com/kb/290260

A user can change his OWN password with impunity...

BUT force changing of ANOTHER account by an admin can lose access to the certificates...

My earlier recommendation stands...

Logon to any account that can read the file and EXPORT the certificate from THAT account...

You can then IMPORT  that certificate to ANY other account to gain the same access!

Yeah, the problem I am having is it's not consistent. The user I tried last week has access to a few of the files (hardly any), but the account I tried today had access to none. So I tried the account for last week to be sure and confirmed very little access.

Are the users manually given the certificate at the time of encryption or is that automatically created?

I have no consistency and nobody remembers doing this so it was an accidental encryption which could have been by any user and not necessarily one still part of the office as from what I can tell this has been neglected a while.

So if I can log on to the proper original administrator account without me having to change the password is that currently my best bet?

Thanks

John

Changing a password of another account will never prevent that other account from accessing his certificates - where did you read that, nfc?

1) McKnife:  I posted link to reference... as I said, this issue MIGHT apply, but risky, so I would change password ONLY as LAST resort...

2) Best bet is to GET THE PASSWORD!

3) John: Still not sure WHY you won't try to export the certificates...  Harmless to do, and will let you know what (further) options you might try!

How-to link here: http://windows.microsoft.com/en-us/windows/back-up-efs-certificate#1TC=windows-7


4) Certificates are auto-generated...  Article on how they are generated and used here:
http://technet.microsoft.com/en-us/library/cc962103.aspx

Im happy to export the certificates but I don't really have one that is allowing access to all the files so seemed a bit futile.

Admin account seems best bet

I'll give it a go

Thank you for the advice I'll keep you posted.

I see. This ( http://support.microsoft.com/kb/290260 ) is true for local accounts, not for domain accounts, if I am not mistaken. navjump, is this a domain account or a local one?

Yet another article describing recovery issues for encrypted files...

Worth reading!

http://blogs.interfacett.com/windows-7-how-to-use-cipher-exe-a-critical-win-7-security-tool

It describes the cipher.exe tool (NTFS EFS tool) as well as the various certificate option & issues as well as setting up the "recovery agent" for EFS...

Sidenote:

This isn't likely to be a crypto locker virus?

I've seen that before but not turning files 'green' so I'm girding unlikely

*guessing

Yes... unlikely... they encrypt (but NOT with EFS)... and demand a ransom to decrypt...

Again: is this a domain user account or a local one?

Domain user

Then I don't think changing the password would hurt. But you should look that up or better stage it in a test environment.

I found this last night

http://blogs.msdn.com/b/asklar/archive/2012/05/03/why-do-zip-files-from-mac-os-show-up-as-green-encrypted.aspx

It's explaining an issue where a zip file created on a Mac and unzipped on windows marks the files as encrypted. About 50% of the users are Mac users. Although the untick ing obviously doesn't work

Apple was never known for "playing nice with others"...

They demand all others defer to THEIR way or the highway!

Right so the previous admin is unable to provide the original administrator password.

I'm going to change the admin password and test tomorrow.

I'm also getting frustrated with waiting s week to do anything so will get teamviewer installed for remote access and get this nailed with your help.

Again, I STRONGLY urge you to TRY import/export of certificates from a user who can read the file(s) BEFORE changing that password!

OK

As I've said I'm not having any luck with users that can open them at all.

I'm going to use the EFS info tool to try and find out which account encrypted them as a first step.

OK EFS info tool provides no info on these files/doesnt work - its as if they don't exist.

Administrator account does not allow access to them either

It's like they have been encrypted elsewhere which leads me back to the mac unzipping issue.

A large chunk of the files have the mac_os prefix in them which is suggestive of this. However, they can't be unticked you get the standard encrypted file message which just asks for admin permission and then fails.

I'm at a point where I should right these files off I think, its about 450 files a very small chunk in the scheme of things and nobody has had access to these for a long time.

OK a little bit more digging.

Tried to use EFSinfo tool sI said and useless, but if I simply go to the advanced tab in the properties and then 'details' next to the file. It says "users who can access this file and a name. The name doesn't seem to be our domain account format its actually first name / last name.

A few random file checks show different users for different files which is concerning. Still not sure why this has happened.

If I try to add a user who can decrypt the file. I get a list of 2 users who are other users on the network. Very odd. I can't add any of them though as I get an error message saying I don't have access to do it. I am guessing because I am using my admin account rather than the account named in the top box saying who has access.

So, is my best bet to go through each file and just identify who has access to each file and then get them to decrypt them?

You mentioned how I can add the certificates for the user to my admin account I am still puzzled by this process.

Do I take the certificate from the users local/client machine running windows 7, then return to my server and add the certificate in there under my login account? This way I can just decrypt them all rather then getting them to identify and decrypt each file?

Thanks again for your patience, I am mildly dyslexic so I hope you can appreciate things take me a little longer than most.

In a previous reply I supplied a link to the export/import process...

All you need do is export the certificate from a user who CAN access the file and then import it  to another user who would like to enjoy the same usage.

Thanks again n2fc

just to clarify though I am doing this export from the local users computer which is where the certificate should be held, rather than the server?

Yes

Hi guys, sorry for the delay on this.

I got no further with this and it appears that the encrypted files all have a mac origin so I think this is related to the windows issue that it encrypts files that were zipped on a mac and unzipped on windows.

Thankyou all for your help, the encrypted files number hasnt increased but it is a shame we cant access the old files.