How do I remove EFS encryption from a set of files?
Hello,
We've recently installed a new branch office with a Windows SBS 2008 server. Somehow a group of files have become encrypted with EFS. The files are encrypted with a number of users' keys. I've disabled EFS in group policy now as its not appropriate for this
environment and we don't want users encrypting files by accident (which seems to have been the case here?)
I've been struggling to find out how to remove the encryption. I've got as far as using the cipher.exe tool. When I run:
cipher /d /a
In the affected area I receive "Access is Denied". Looking at a particular file using cipher /c I can see that the domain user is listed under the "Users who can decrypt" heading, and that the domain administrator is listed under "Recovery agents". So, I
understand this to mean that I cannot decrypt the files until I somehow add another user to the list of decrypting users?
How do I go about this? I can't seem to find any good documentation from my numerous searches.
Thanks!
May 31st, 2011 4:27pm
Most of your EFS information will come from Windows XP and Windows Server 2003 documentation.
Because the admin can only recover the key, the admin must recover the keys and then use the recovered keys to decrypt the files.
Encrypting File System
http://technet.microsoft.com/en-us/library/cc700811.aspx
5 Minute Security Advisor - Recovery Encrypted Data using EFS
http://technet.microsoft.com/en-us/library/cc722672.aspx
Because it uses a measure public key cryptography and symmetric key encryption, you should have at least a 200-300 level knowledge of PKI to accomplish the tasks outlined in the recovery process.
Best Regards,Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
Microsoft® Community Contributor Award 2011
This posting is "as is" without warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2011 5:06pm
On Tue, 31 May 2011 14:06:20 +0000, Steve Kline wrote:
Most of your EFS information will come from Windows XP and Windows Server 2003 documentation.
Because the admin can only recover the key, the admin must recover the keys and then use the recovered keys to decrypt the files.
This is not the case and you're not reading the material correctly. There
is a big difference in EFS between a data recovery agent (which is what the
Domain Admin referred to in the original post) and a key recovery agent
(which is what you're referring to. The data recovery agent can decrypt any
EFS encrypted file in the Enterprise. A key recovery agent is only used in
the second half of a key recovery operation from Certificate Services which
is not what is going on here. A key recovery agent is not listed when
cipher /c, that lists the data recovery agent. In a domain environment,
that default data recovery agent is the first Administrator account on the
first domain controller installed.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Thrashing is just virtual crashing.
May 31st, 2011 5:16pm