How to decrypt a file when the user is gone?

binarysoulbinarysoul Member Posts: 993
in Off-Topic
How to decrypt a file that was encrypted by another user on WinXP that's part of a domain?

I used group policy on the domain to create a Data Recovery Agent (DRA) and then logged in to the PC as the domain admin, but still can't decrypt the file. Am I missing something?

I suspect the DRA was supposed to be created 'before' encryption took place.

Does DRA work to recover files local drives, e.g. C or just files on a network share?
· Share on FacebookShare on Twitter

Comments

  • skrpuneskrpune Member Posts: 1,409
    binarysoul wrote: »
    I suspect the DRA was supposed to be created 'before' encryption took place.
    I believe you're right...that seems to be what they're saying here.

    Is the user profile still in existance/active? Have you tried to reset the password & log on as that user?
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
    · Share on FacebookShare on Twitter
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Yup a DRA should be the 1st thing created after enabling EFS. If the account has been deleted and there wasn't a DRA in place when the file was created your only option would be to restore AD from a backup when the user existed and try to unencrypt the file once you've restored the account -sorry it basically amounts to a lot of work icon_sad.gif
    twitter: @astorrs
    profile: linkedin.com/in/astorrs
    · Share on FacebookShare on Twitter
  • binarysoulbinarysoul Member Posts: 993
    Thanks guys :)

    I will pass on trying to decrypt the file (will try the backup route). But now I want to test DRA.

    On a PC C:\ drive, I just encrypted a file under a different username and then logged in as the domain admin, but I can't decrypt it, i.e. I can't take the "encrypt" checkmark from the file.
    · Share on FacebookShare on Twitter
  • rwwest7rwwest7 Member Posts: 300
    You also needed to check the "archive subjects encryption key" box on the Request Handling tab of the properties for the template that was used to issue him his certificate.

    They didn't teach you this for your Superman cert?
    · Share on FacebookShare on Twitter
  • Tyrant1919Tyrant1919 Member Posts: 519 ■■■□□□□□□□
    Definately a prereq for superman status I believe.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
    · Share on FacebookShare on Twitter
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    astorrs wrote: »
    Yup a DRA should be the 1st thing created after enabling EFS. If the account has been deleted and there wasn't a DRA in place when the file was created your only option would be to restore AD from a backup when the user existed and try to unencrypt the file once you've restored the account -sorry it basically amounts to a lot of work icon_sad.gif

    Corollary to astorr's comment. If you aren't planning on officially supporting EFS in your domain, you don't have a CA, etc... DISABLE EFS in your group policy at the domain level... or you're opening yourself to having a savvy employee encrypt a bunch of files that no one will be able to open once they're gone (I believe, only local administrator on that machine could recover them by default). I've seen that scenario cost a company hundreds of thousands of dollars because an employee encrypted a bunch of files they needed in a law suit, then his account was modified (changed password, deleted, something to that effect)
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
    · Share on FacebookShare on Twitter
  • djhss68djhss68 Member Posts: 205
    blargoe wrote: »
    Corollary to astorr's comment. If you aren't planning on officially supporting EFS in your domain, you don't have a CA, etc... DISABLE EFS in your group policy at the domain level... or you're opening yourself to having a savvy employee encrypt a bunch of files that no one will be able to open once they're gone (I believe, only local administrator on that machine could recover them by default). I've seen that scenario cost a company hundreds of thousands of dollars because an employee encrypted a bunch of files they needed in a law suit, then his account was modified (changed password, deleted, something to that effect)
    Wow. icon_eek.gif

    That's all I have to say.
    · Share on FacebookShare on Twitter
  • vintage_69vintage_69 Member Posts: 5 ■□□□□□□□□□
    I thought there was always a default recovery agent in a Windows domain and you needed to either export the dra key to the encrypted file location or backup and restore the encrypted file to the machine with the dra key.

    Like others I keep EFS disabled in the network I manage, one less headache.
    · Share on FacebookShare on Twitter
  • rwwest7rwwest7 Member Posts: 300
    vintage_69 wrote: »
    I thought there was always a default recovery agent in a Windows domain and you needed to either export the dra key to the encrypted file location or backup and restore the encrypted file to the machine with the dra key.

    Like others I keep EFS disabled in the network I manage, one less headache.
    This default recovery agent is what allows users to encrypt files, however by default you can't actually do any recovering until you make further configurations. This is why you should disable EFS until you know exactly what you're doing.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.