Hi all, Not sure what I am missing here. Have a Vista client joined to a domain. The domain has one DC running Win 2008 R2 (its my virtual test lab). On the Vista client I protected a folder with EFS. The Default Domain Policy has the Administrator as the default DRA for EFS. I have tried opening the file from the DC (I connect to the client with \\machinename\c$), but get access denied. I have verified the recovery agents are listed on the file by looking at the Details button on the file and confirmed that is indeed the certificate and private key installed on my DC. Logged on to the DC with the administrator account as well. What am I missing? I tried copying the file to the desktop of my DC to see if it needed to be opened locally but I get a, "You need permission from domain\username" to make changes error. Any ideas? Thanks a lot!

You are missing the PKI aspect of EFS and its DRA. You must log on with an account that has the DRA certificate and its private key in its user profile. - It really does not matter which account you log on as - Just logging on as the administrator does not give you access to the file You must find the P12 file (if you have it) and import the certificate into a profile *on the local computer where the file is encrypted* You can then recover the file Brian

Thanks for the quick reply. I understand I need the private key on the computer that I am logged in as with the DRA. In this case I am. I am logged on as the administrator on the DC where the private key is. I am trying to access the encrypted file across the network. Are you saying I can't do it like this? I must log in to the machine where the file is actually stored? Should I be able to copy the file to the DC and open it from there? I am working on recovery scenarios and am concerned if I have a client where Windows is inaccessible. I wanted to make sure I could just grab the data and open somewhere else.

Ok, well I have done a little more reading and I am under the impression that in scenarios where we need to recover the encrypted data, I will have to import the private key to the local workstation where the data is and log on with the account of the DRA or I can transfer the file using something like Windows backup. I can't just do a straight copy and paste or open it from across the network. Am I correct? http://support.microsoft.com/kb/223178 is where I got that idea from. Now a bigger issue is, I went to export the private key of the Administrator from my DC but the certificate export wizard says "Note: The associated private key cannot be found." But if I open open the certificate by double-clicking it, it says "You have a private key that corresponds to this certificate." I have 2 certificates for file recovery on this DC, one was self-signed before I put in a CA and the other was issued from the CA and both give me this error. What gives? Thanks again.

Do not trust the GUI Run certutil -verifystore -user my This will tell you if you have the private key (no GUI magic) 1) You need to login at the workstation with the cert in your profile, or you need to go through the pain of backup and restore or 2) Do it properly from the start, and implement Key Recovery Agents in the PKI and archive the EFS certificates and their private keys I would never tell a customer to use option 1 as it is an 11 year old option. Anyone who has deployed Windows Server 2003 or higher PKI will always go with option 2 Brian

Thanks for your help Brian. My concern is, I should have the private key. This is the first and only domain controller in the domain. That means it should store the default EFS recovery agent's private key for the domain right? I installed another DC for a new domain on a new VM just to test, and I was able to export the private key from there so I am wondering if somehow the Administrator profile got corrupted possibly on this VM?

ANd if it is corrupted, it is pretty much a goner. Brian

Yes, I'm not sure what went flakey and where, but I was able to create another DRA in Group Policy for the Administrator from the DC and I had my CA online this time so it got a cert from there. I checked and made sure I could export the key and it worked fine. Brian I hope you could clear up some confusion on a related point for me. I started this whole exercise not really concerned about the private keys for the DRAs because I know they should be backed up or I can use key archival with a CA, but I was looking at what to expect when working with EFS specifically moving and accessing files. I've found from experimentation that: 1) I cannot open or copy EFS files on a remote machine using Windows Explorer even if I have a private key that can decrypt the file on the local workstation that I am using to connect to the remote machine. 2) I thought I would be able to copy an EFS file located on a remote machine to my workstation using robocopy /efsraw, but I get an error message that "The file could not be encrypted." 3) I cannot even copy the file using a LiveCD like Ubuntu. Seems a bit troubling to me if I was in a situation where the Windows installation may be hosed and I just need to grab data. Any ideas how to work around a situation like that? Other than have good backups :) Is what I've found normal behavior? Thank you for your help!

Hi, This article may help: Encrypting File System in Windows XP and Windows Server 2003 http://technet.microsoft.com/en-us/library/bb457065(printer).aspx Please note that: When files are stored on file shares, all EFS operations occur on the computer on which the files are stored. For example, if a user connects to a network file share and chooses to open a file that he or she previously encrypted, the file is decrypted on the computer on which the file is stored and then transmitted in plaintext over the network to the user’s computer. Remote encryption requires that a user's certificate and private key be loaded in a local profile on the server for encryption and decryption operations. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.