How to decrypt a file when the user is gone?

How to decrypt a file that was encrypted by another user on WinXP that's part of a domain?

I used group policy on the domain to create a Data Recovery Agent (DRA) and then logged in to the PC as the domain admin, but still can't decrypt the file. Am I missing something?

I suspect the DRA was supposed to be created 'before' encryption took place.

Does DRA work to recover files local drives, e.g. C or just files on a network share?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

skrpune

binarysoul wrote: »

I suspect the DRA was supposed to be created 'before' encryption took place.

I believe you're right...that seems to be what they're saying here.

Is the user profile still in existance/active? Have you tried to reset the password & log on as that user?

astorrs

Yup a DRA should be the 1st thing created after enabling EFS. If the account has been deleted and there wasn't a DRA in place when the file was created your only option would be to restore AD from a backup when the user existed and try to unencrypt the file once you've restored the account -sorry it basically amounts to a lot of work

binarysoul

Thanks guys

I will pass on trying to decrypt the file (will try the backup route). But now I want to test DRA.

On a PC C:\ drive, I just encrypted a file under a different username and then logged in as the domain admin, but I can't decrypt it, i.e. I can't take the "encrypt" checkmark from the file.

rwwest7

You also needed to check the "archive subjects encryption key" box on the Request Handling tab of the properties for the template that was used to issue him his certificate.

They didn't teach you this for your Superman cert?

Tyrant1919

Definately a prereq for superman status I believe.

blargoe

astorrs wrote: »

Yup a DRA should be the 1st thing created after enabling EFS. If the account has been deleted and there wasn't a DRA in place when the file was created your only option would be to restore AD from a backup when the user existed and try to unencrypt the file once you've restored the account -sorry it basically amounts to a lot of work

Corollary to astorr's comment. If you aren't planning on officially supporting EFS in your domain, you don't have a CA, etc... DISABLE EFS in your group policy at the domain level... or you're opening yourself to having a savvy employee encrypt a bunch of files that no one will be able to open once they're gone (I believe, only local administrator on that machine could recover them by default). I've seen that scenario cost a company hundreds of thousands of dollars because an employee encrypted a bunch of files they needed in a law suit, then his account was modified (changed password, deleted, something to that effect)

djhss68

blargoe wrote: »

Corollary to astorr's comment. If you aren't planning on officially supporting EFS in your domain, you don't have a CA, etc... DISABLE EFS in your group policy at the domain level... or you're opening yourself to having a savvy employee encrypt a bunch of files that no one will be able to open once they're gone (I believe, only local administrator on that machine could recover them by default). I've seen that scenario cost a company hundreds of thousands of dollars because an employee encrypted a bunch of files they needed in a law suit, then his account was modified (changed password, deleted, something to that effect)

Wow.

That's all I have to say.

vintage_69

I thought there was always a default recovery agent in a Windows domain and you needed to either export the dra key to the encrypted file location or backup and restore the encrypted file to the machine with the dra key.

Like others I keep EFS disabled in the network I manage, one less headache.

rwwest7

vintage_69 wrote: »

I thought there was always a default recovery agent in a Windows domain and you needed to either export the dra key to the encrypted file location or backup and restore the encrypted file to the machine with the dra key.

Like others I keep EFS disabled in the network I manage, one less headache.

This default recovery agent is what allows users to encrypt files, however by default you can't actually do any recovering until you make further configurations. This is why you should disable EFS until you know exactly what you're doing.