1

I have some files on the drive of a domain controller running Windows Server 2008 R2 which are encrypted via EFS. The user that originally encrypted the files no longer exists. When I look at the encryption details for these files it says that there is a recovery certificate for "Administrator(Administrator@MYDOMAIN)" with the certificate thumbprint "0123 4567 89AB...".

I am logged in as the above Administrator and when I open MMC and add the Certificates Snap-in I can see that I have a "File recovery" certificate with the thumbprint "0123 4567 89AB..." which is "enabled for all purposes".

I have checked the permissions on the files and the Administrator account has full access, except for the "Special permissions" box which is disabled.

Yet when I try to open, copy, or decrypt the files, I get an "Access is denied" error. E.g.

C:\Directory>cipher /d file.docx

 Decrypting files in C:\Directory\

file.docx [ERR]
file.docx: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

What do I need to do to decrypt these files?

DanielGibbs
  • 487
  • 2
  • 9
  • 26
  • Is the fact the files encrypted in the first place something you did on purpose? – Ramhound May 11 '18 at 09:12
  • No, they are some files that were (presumably) encrypted by a user that has since left the organisation. – DanielGibbs May 11 '18 at 09:39
  • At any point, did you reset the password, of the account the certificate belongs to? You can only change an account's password with the same account, if you reset the accounts password with another account, that complicates things – Ramhound May 11 '18 at 09:46
  • The original owner’s account has since been deleted. – DanielGibbs May 11 '18 at 10:36
  • You didn’t mention that in your question – Ramhound May 11 '18 at 11:12
  • Sorry, I didn't think it was relevant since the file lists the domain administrator as one of the recovery certificates. – DanielGibbs May 11 '18 at 12:20
  • 1
    This is not a duplicate of the linked question. The error message I am getting is different and the solution does not solve my problem. – DanielGibbs May 11 '18 at 12:23
  • The fact the original account owner was deleted is indeed irrelevant since you're not using that account's cert to decrypt. Have you confirmed you have NTFS permissions to access the file? Did you try copying the file to another folder and then decrypting it? – I say Reinstate Monica May 11 '18 at 12:46
  • If by NTFS permissions you mean the "Permissions" tab, then yes I have all permissions except "Special Permissions", which is disabled. I tried copying the file but it gave me an Access Denied error when I tried. – DanielGibbs May 11 '18 at 22:45
  • I'm in the very same situation. Any clue? – Disti Dec 04 '20 at 08:20

0 Answers0