|
Home > Archive > 70-210 > July 2001 > EFS Help!!!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| entrerixxx 2001-07-16, 5:29 pm |
| OK, Here we go:
I encrypted my NTFS 5.0 "My Documents" folder with a domain account and now I keep getting the message "Acces is Denied". I do not know what happened because everything was working fine up until the later part of the day on Friday 07/13/01. The only thing that happened was I had a Lotus Notes "Spell Terminiation" error and, the Notes team did something to my PC to fix it. After that I receive the "Access is Denied" message when trying to open any type of .doc,.xls,.txt etc... I ran efsinfo /R and it told me the ID of a Recovery Agent. When he came to my Workstation he tried to decrypt the directory by using the standard Windows Explorer approach. This did not work however. Is he suppose to use the CIPHER command? Also I really do not think that Notes should have caused this to happen being that Notes should use a different Private Key than the one used by EFS. I also tried the local Admin account using the standard Windows explorer approach to no avail. Any advice would be great! | |
| TW2001 2001-07-17, 12:07 am |
| Im pretty sure it must be recovered at the computer where the Recovery Agents certificate resides.How exactly this works in the domain model would depend on GPO and security settings.If you have admin rights to the local account....copy the folder from your network account to the local folder.Export the certificate to the local and see.Let me know how this works or what you end solution is.Ive not seen many real world problems with EFS.Hmmm...maybe thats why a lot of people are not using it? | |
|
| You need to backup (not copy) the files, before transfering the backup to the Data Recovery Agent (DRA).
In the future, export the File Recovery Certificate before problems occur...
I concur with TW2001, let's hear how this turns out.
Terje | |
| entrerixxx 2001-07-17, 2:16 pm |
| I got to work today and, found the users' name of which is the Recovery Agent for the Default Domain Policy. Of course he is not in today so I can not try anything but, after researching it I have come to the following conclusion:
Since I encrypted with a domain account the Default Domain Policy Recovery agent has to export his private key to a disk from a DC and, then sit down at my machine and import it. He should in "Theory" be able to decrypt my Folders and Files; hopefully. Another and more secure way would be as someone said; backup the encrypted data using the Backup tool that comes with Win2k. Then send or give the .BKF file to the recovery agent. He can then restore the data, decrypt it and send it back to me, without having to load his private key on my machine. Let me know if these solutions sound like the right things to attempt. Hopefully I can give these a try tomorrow depending on if the Enterprise Admin is in!!! I'll let you know how things turn out by the end of the week at the latest. | |
| entrerixxx 2001-07-17, 2:17 pm |
| When a user logs into a Domain via a workstation is his Private Key available to him via the "wire"? | |
| Joe Blacke 2001-07-17, 2:41 pm |
| For recovery agents, the recovery key is part of the profile (the decryption or private key for the owner of the file is also part of the users profile). If the recovery agent is set up with a roaming profile, then their certificate can be downloaded to the pc. If they are not set up with a roaming profile, then their certificate must be either stored locally or imported. |
|
|
|
|