Help My IT Dept Is useless...

[sarabell]

Hello,I hope that someone is able to help me. I am trying to open my files that I encrypted a few months ago. My company recently placed us on a domain and deleted my prior user (login) that I created these files under. This "user" is the only one that it is showing as being able to access these files. I have tried re-naming my computer back to the same"user" name even using all of the letters and numbers after my "user name" with no luck. I have tried to copy and insert the certificates into other users to gain access and it did not work. My IT dept is no help at all. For the most part they are saying to call Microsoft... Is there anyway to gain access to them again? I can not loose these things. They are all of my vital files. Does anyone have any suggestions.

Thank you so much for your help !

~S

 

[Ijack]

Your IT Department is correct. It is almost impossible to recover encrypted files once the user profile has been deleted. If you Google "unencrypt EFS" you will find some programs that claim to be able to do this, but they are fairly expensive and I can't vouch for any of them.

Encrypting data without keeping an unencrypted version elsewhere is a risky business. And, if these are business files, you really should not encrypt them. What if someone else needed access to this data in an emergency?

 

[hang-the-9]

The user accounts are unique when created, a new user with the same name is not the "same" user to the operating system. You IT dept should never have deleted your user but rather disabled it. Bad practice by them.

I think there are ways of getting the encryption keys back, but you actually need the files from your old user account. Have the IT department try some file recovery utilities to get your user directory back.

Take a look here http://www.techrepublic.com/forum/discussions/102-258290-2457845

http://www.elcomsoft.com/aefsdr.html

And it would not be your job to contact MS for support but the IT dept.

There is no "back-door" or a simple hack to get into your files, otherwise it defeat the whole purpose of encryption if it was that easy to break-in to them. But then that security comes at the price of having to be diligent in keeping your access available (not forgetting passwords, keeping secure backups of the keys, etc...).

 

[Ijack]

"Your IT dept should never have deleted your user but rather disabled it. Bad practice by them."

I'd agree with that, if they knew the user had encrypted his disk/files. But did they know that? If they did they should have ensured that they had the means to unencrypt the files. I'm cynical, having worked in IT support, but I suspect that no-one ever told them about the encryption.

I'm afraid that retrieving the user's old directory, if it has been deleted, won't help.

 

[hang-the-9]

"Your IT dept should never have deleted your user but rather disabled it. Bad practice by them."

I'd agree with that, if they knew the user had encrypted his disk/files. But did they know that? If they did they should have ensured that they had the means to unencrypt the files. I'm cynical, having worked in IT support, but I suspect that no-one ever told them about the encryption.

I'm afraid that retrieving the user's old directory, if it has been deleted, won't help.

What if she had files on her Desktop, custom macros, Favorites, PST files in the default locations, etc..., those are all stored in the profile directories.

You NEVER just delete a user account without checking things out, there are a dozen reasons not to. Lazy and/or untrained IT staff is what does that. Or Best Buy/Staples techs and such. At the least, you copy the profile to a backup first. Just saying it's not what a professional would do. Anyone that's done more than a few system re-builds would have known to backup user files.

With the user files, the recovery software has a chance to decrypt the files at least. Without it, you are missing the key used to create the encryption, and you'd need software to actually break the encryption which is a lot tougher and pretty much out of the running as possible solution.

 

[Ijack]

At the least, you copy the profile to a backup first.

I'm afraid that, in the case of encryption, that wouldn't have helped. The encryption is bound to the User's GUID, which you can't recreate.

There should be a proper IT policy with regard to encryption so that an escrow agent can be created allowing the Administrator to decrypt files. And any half-decent IT shop would do that if a user asked about encrypting their files (it's an obvious business requirement - you can't have people encrypting company data in such a way that it can only be recovered by them). But if a user encrypts their files without asking IT about it in the first place, or telling them, things get more difficult. I don't know enough about the circumstances in this case to comment further on that.

Ultimately, the responsibility does lie with the IT Department - or more likely with Management - for allowing users the ability to encrypt files. In a corporate environment users should be strictly limited in what they can do - no rights to encrypt files or install programs at a minimum. But users whine about this and Management often give in. Here we have a prime example of why a good IT shop will insist on this policy. Always worked for us!

 

[hang-the-9]

I'm afraid that, in the case of encryption, that wouldn't have helped. The encryption is bound to the User's GUID, which you can't recreate.

By using standard methods you can't, but if you use this http://www.elcomsoft.com/aefsdr.html, it looks to do a search for available files and can use them to decrypt. But you need those files first, which means getting the user files back. It does look like that software may do the trick if it can find user files even if they were deleted. Never tried it though.

"Recovering Encrypted Files

Advanced EFS Data Recovery decrypts files protected with EFS quickly and efficiently. Scanning the hard disk directly sector by sector, Advanced EFS Data Recovery locates the encrypted files as well as the available encryption keys, and decrypts the protected files. The direct access to the file system allows Advanced EFS Data Recovery to recover encrypted files in the most difficult cases even if the disk with data is only available without a valid user account to login into system, or when some encryption keys have been tampered with."

 

[Ijack]

The files are still there, as the OP said. And I did mention in my first reply that there are utilities available that claim to be able to recover those files. I've not tried any of the either; never had a need to.

 

[hang-the-9]

The files are still there, as the OP said. And I did mention in my first reply that there are utilities available that claim to be able to recover those files. I've not tried any of the either; never had a need to.

Ah, I see, the files are there, just the user is not anymore. For some reason I read the user and files created under that user were missing.