Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Kerry,
Thanks very much for the help.
According to the very poor Microsoft documentation, the operation under a
domain is considerably different.
Yet your explanation is logical. I will give it another try.
However, I deleted my certificates. Why can I still decrypt the test files?
I'm reluctant to use a system that I don't completely understand, especially
one as important as this. There are many, many unhappy stories on the news
groups of users not being able to retrieve their files.
________________________________
Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
>
>>Kerry,
>>
>>Excellent. However, I haven't been able to make it work. I must be doing
>>something wrong, obviously.
>>
>>I was worried about backing up the wrong certificate, so I deleted my
>>personal certificates from:
>>
>>Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
>>Policies/ Encrypting File System/
>>
>>and
>>
>>Certificates - Current User/ Personal/ Certificates/
>>
>>and
>>
>>Certificates - Current User/ Trusted People/ Certificates/
>>
>>However, I am still able to decrypt a pre-encrypted file.
>>
>>So, which Certificate is active, and where is it? Second, how can a
>>certificate be enough, when the certificate does not include the private
>>key?
>>
>
>
> Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
> certifcates for my user account". Expand the Personal tree. Look in the
> Certificates folder. There was only one cert there it had my user name.
> Right click on it and check the properties to make sure it is the efs cert.
> Under "All Tasks" pick export and follow the prompts making sure to save the
> private key with it.
>
>
>>You were logged in as Administrator? Where did you export the Certificate
>>and private key? Where did you import it.
>>
>
>
> No I wasn't logged in as administrator. I encrypted a file, then logged in
> as a different user to confirm I couldn't access the file. I logged back in
> as myself and moved the file to a shared folder on a server. At this point
> other users could see the file but couldn't access it. I logged in as myself
> and exported the certificate to the same shared folder. I went to another
> computer, logged in as a different user again and tried to access the file.
> Access was denied. I imported the certificate with the Certificates mmc snap
> in. I was then able to access the encrypted file no problem.
>
>
>>I'm not on a domain. These are laptop computers I am using for test.
>>
>
>
> Should work the same. Hope this helps.
>
> Kerry
>
>