decrypt, or change password?

Ive seen tons of questions regarding discruntaled employee's who encrypt files and leave the company, but ive seen different versions of what to do. Should you log on as a Recovery Agent and decrypt? or just change his password and access them in his profile?

Find more posts tagged with

Comments

cheeblie

I'm pretty sure you would first disable his account. Then you would login as a Recovery Agent and decrypt the files. I believe that is how Microsoft views the situation as far as the test is concerned.

Cheeblie

pandimus

sounds resonable to me..

Lexxdymondz

I'm pretty sure that you would only change the password if someone was filling in the job postion ie...

Bob has encrytped his fiscal year earnings statement then left the company. Jane will be filling in for Bob now that he is gone and needs these files for her meeting. What is the easiest/fastest way for jane to get these files?

That would be to reset the password.

If the admin or someone else needs the files, but won't be taking over the postion use the Recovery agent.

Any comments from anyone else would be appreciated.

pandimus

Yeah i finally figured out the difference in the middle of the night..

Needless to say I passed the 70-210 today, definitly a different test.

Webmaster

Congratulations Pandimus!

Bob has encrytped his fiscal year earnings statement then left the company. Jane will be filling in for Bob now that he is gone and needs these files for her meeting. What is the easiest/fastest way for jane to get these files?

That would be to reset the password.

A slightly different method, but as easy, and what is usually done when this would be a real world scenario(an employee leaving the company and username is based on the employee's name), is rename the username, reset the password, and "enable change password at next logon". (I have to admit I never tried it on Windows 2000 with EFS... used to work fine on NT 4

) This will allow the new employee to access the same resources without an admin having to assign permissions and join groups, again..

But when it comes to MS questions, I'm quite sure the answer is always "logon as a recovery agent", unless you are the user... in that case "you can recover an encrypted file or folder yourself if you have kept a backup copy of your file encryption certificate and private key in a .pfx file format on a floppy disk." which would be the preferred method... from a user's perspective.

www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp

pandimus

Yeah that is fine if you are transfering files to a new employee. But if the old employee leaves and you transfer those files to the boss, you will have to decrypt them first.. I guess that is what i am getting from it.

Thanks webmaster..

Next on to the 215..

Webmaster

Yeah I agree, if the files go to anyone else than the new employee, and admin, hence a recovery agent, will have to do it.

Have fun with 215.