Archived from groups: microsoft.public.win2000.security,microsoft.public.security.crypto (
More info?)
I don't really know what is going on offhand with your admin account on that
particular computer. I do know that the RA certificate/key does not seem to
care what user account it is imported into to be able to decrypt files as a
RA as I have experienced similar results. What I would try is to restore the
files to another computer, logon as your administrator account on that
computer [best done on a computer where a fresh profile will be generated at
logon], import your RA .pfx file and see if that works or not again being
sure that your account has proper ntfs permissions to that EFS file.
Unfortunately it can be difficult to track down such EFS problems as from my
experience there are usually no events recorded in the security/system logs
that would be of help and you end up with that "access denied" message
though you should still check those logs to see if anything pertinent
ows. --- Steve
"Thomas McLeod" <thomas03@mcleodsoft.net.nospam> wrote in message
news:%23flyscdgFHA.2880@TK2MSFTNGP14.phx.gbl...
> Steve,
>
> I logged on to a domain computer (not the one where the file was encrpted)
> as the user that encrpted the file and imported the RA key pair and was
> able
> to decrypt the file. The question now is: why can't I decrypt the file
> from
> my admin account on the same machine? My admin account has the same RA key
> pair installed, in fact that is the profile from where I exported the
> keys.
>
> Thomas
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23bTf1MOgFHA.3164@TK2MSFTNGP15.phx.gbl...
>> I would try logging onto a domain computer that has EFS files on it where
>> you are supposed to be RA and importing your RA .pfx file into that user
>> account to see if that works. If it does then it would seem there may be
>> a
>> problem with your backup and restore operation. If it still does not then
> I
>> am not sure what the problem is but what I would do is to define an
>> additional RA, encrypt some files after the domain computers recognizes
> the
>> new CA which will need GP to replicate and refresh, and then try again
> with
>> the new RA. Logging on as the user and importing the RA would not
>> demonstrate that the RA was working unless you are 100 percent sure that
> the
>> users EFS certificate/private key does not exist on the computer. ---
>> Steve
>>
>>
>> "Thomas McLeod" <thomas03@mcleodsoft.net.nospam> wrote in message
>> news:O8DbrSNgFHA.2156@TK2MSFTNGP14.phx.gbl...
>> > Steve,
>> >
>> > I've never been able to decrypt any files as RA. I am able to export to
>> > key
>> > pair to a .pfx but I haven't tried importing the RA key pair to the
> user's
>> > machine to test RA recovery. I guess what I should do in that case is
>> > import
>> > the keys into my admin profile on that machine, right? It seems
> importing
>> > them into the account of the user who encrpted the file wouldn't test
>> > RA
>> > recovery.
>> >
>> > Thanks,
>> >
>> > Thomas
>> >
>> >
>> >
>> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> > news:lYKdnT3bPa5-H1rfRVn-vA@comcast.com...
>> >> Can you decrypt any files as the RA or is the problem specific for
>> >> this
>> > user
>> >> or file? Another thing to try to make sure your RA private key is
> intact
>> > is
>> >> to export your RA certificate/private key to a password protected .pfx
>> > file
>> >> [.cer file will not contain private key] and then logon to the user's
>> >> computer and import your RA certificate/private key via the .pfx file
> to
>> > see
>> >> if that works again making sure you have full control permission to
>> >> the
>> >> file. --- Steve
>> >>
>> >>
>> >> "Thomas McLeod" <thomas03@mcleodsoft.net.nospam> wrote in message
>> >> news:OH%23$2qxfFHA.3936@TK2MSFTNGP14.phx.gbl...
>> >> > Yes, I have full control ACL on the file.
>> >> >
>> >> > I'm doing this in the lab. The file does not have important data. I
> can
>> >> > still logon as the original user and decrpt the file. I'm attempting
> to
>> >> > see
>> >> > if I can indeed decrypt a file as an RA, but so far it hasn't
>> >> > worked.
>> >> >
>> >> > This is the output from cipher.
>> >> >
>> >> > C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to
>> >> > Thomas.txt"
>> >> >
>> >> > Decrypting files in C:\Documents and Settings\Thomas\Desktop\
>> >> >
>> >> > to Thomas.txt [ERR]
>> >> > to Thomas.txt: Access is denied.
>> >> >
>> >> > 0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.
>> >> >
>> >> > All help appreciated.
>> >> >
>> >> > Thomas
>> >> >
>> >> >
>> >> >
>> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> >> > news:OadmrpffFHA.3232@TK2MSFTNGP15.phx.gbl...
>> >> >> Sounds like you should be good to go. One thing to check is that
>> >> >> you
>> >> >> ha
>> > ve
>> >> >> full control permissions on that file and you might try using the
>> > cipher
>> >> >> command. In a Windows 2000 domain or Windows 2000 local user, if
> the
>> >> >> user
>> >> >> account still exists try resetting the users password then logging
> on
>> > as
>> >> > the
>> >> >> user on the computer where the file was encrypted and see if you
>> >> >> can
>> >> > decrypt
>> >> >> the file. The user's profile and certificate/private key would need
> to
>> > be
>> >> > on
>> >> >> the computer in order for such to work. -- Steve
>> >> >>
>> >> >>
>> >> >> "Thomas McLeod" <thomas03@mcleodsoft.net.nospam> wrote in message
>> >> >> news:%23zkDFNffFHA.3584@TK2MSFTNGP09.phx.gbl...
>> >> >> >
>> >> >> > Dear All,
>> >> >> >
>> >> >> > I'm the domain RA and I restored a file encrypted by another user
> to
>> > my
>> >> >> > machine. All machines are Win2k SP4. Using efsinfo, I checked
>> >> >> > that
>> >> >> > my
>> >> >> > RA
>> >> >> > cert is on the file and also installed in my personal store with
> the
>> >> >> > private
>> >> >> > key available. I checked the thumbprints and they match.
>> >> >> >
>> >> >> > But I still can't decrypt the file. What's up?
>> >> >> >
>> >> >> > Thomas
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>