EFS error "Access Denied" from a user you encrypted folder. He can not longer open files.

I have EFS apply on my environment. the DRA was configured first and the DRA is the domain Admin/Enterprise Admin Account. The User int he HR department, encrypted all files on a share folder that is on a file server mapped to his user account via group policy.
The HR user is not longer accessing the files, and he is getting the "Access Denied" error when opening those files. The certificate is installed on this computer. The only thing that changed was his password as we have password policy of every 30 days changing. We have this implemented two  months ago about.
My question is. how can this HR user be able to open those files again?
I have all certificate and privates keys in my CA server and HR user computer. Please be specific.
Faust RomeroIT Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
Change password back to the old password. You might need to assist if you have a password history. Just change password a few times to allow for old password
Chirag NagrekarSystem AnalystCommented:
As you said shared HR folder, do you have latest backup ? If yes you can restore from it.
Shaun VermaakTechnical SpecialistCommented:
Probably a encrypted backup
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Faust RomeroIT Author Commented:
My question is how he is not able to open the files. does this have to do with password change? I have a 24 password history policy.  I do not want to use restore from backup as files are still on share folder intact. He just can not longer access those files (open files). I can use the DRA, i just need instructions to how to put the files back so he can be able to read them. Please advise.
Peter HutchisonSenior Network Systems SpecialistCommented:
If the user has changed his own password then that will not affect access to encrypted files. If an admin changed the password, then it will affect access to files. The admin will have to login, install their certificate on the computer, this will allow them to decrypt the files.

Check the user's AD account in ADUC console, and see if his certificate shows in the Published Certificates tab?

Does his certificate show in Certificates.msc console on his PC and that the key shows he has a private key attached?
Faust RomeroIT Author Commented:
1) The certificate is shown on the "Published Certificates" tab in Active Directory.

2) yes certificate on his computer shows icon with  private key. (below)
computer cert
3) His password was changed by an admin last week, i believe that's where the problem started.

4) Thumbprint shown in all the encrypted files is different than the thumbprint shown in his computer and Active Directory (below).
Thumbprint from AD
Thumbprint is different in files in share folder.

is the best for the user to read on those files again?
if the issue started after password reset, ask admin to reset it back to original old password, may be u need to get in touch with user
if user don,t remember password, then even restore from backup will not help here
You can use EFS DRA to recover / decrypt files as long as efs dra certificate thumbprint located under encrypted files properties match with one you have in AD GPO recovery agent certificate
if both certificates are different, DRA is not of use either
If thumbprint matches with any certificate you have configured as DRA in AD, export that cert with private key, logon to other workstation with that account, import cert, copy data locally and decrypt it and give it back to user
if above did not match / work, then only option could be use 3rd party tools like advanced efs recovery torecover encrypted data
After that you need to configure DRA correctly in domain wide GPO
Faust RomeroIT Author Commented:
LVL41. I see on my Certificate Authority Server the DRA certificate that matches tumbprint on all files (below). how i can export this certtificate from the server with private key to decrypt the files. The is the domain admin that was created before encrypting everything. Please advise if with this account i can be able to decrypt the files. Thanks.
You need private key of those certs to export with.
You cannot get those from CA server as CA server don't store those unless you enable key archival on CA server, this process should be done before you start rolling out certs, now cannot help
Private keys remains with machine from where you request certs

what you can do, logon to 1st DC and check if you are able to locate those certs under certificate personnel store and if you are able to export them with private key, then only it will work

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Faust RomeroIT Author Commented:
I have a backup of HR user private key from the beginning of implementation of ESF. how i can install and recover those files, so he can open those files?
you have private key?

In which form?

U must require certificate file with pfx format which also contains private key

If that's the case, import this pfx file on user workstation under user personnel certificate store and you should be able to access data....
Faust RomeroIT Author Commented:
i tried it did not work. i was not  able to access the data. we will restore from backup previous to EFS.
Faust RomeroIT Author Commented:
we will restore from backup previous to EFS.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.