General discussion

Locked

MMC Security Policies and NTFS security

By Unicornrider ·
I use W2K Pro at home on a DELL XPS-500 PC with two hard drives. One 9G and the other 20G. Up until recently I had two accounts running on it, one for me and one for my wife (who now has her own laptop). In the spirit of learning and experimentationI locked down my two document folders on (the second HD) using MMC Security Policy snapins. Everything worked fine. Fine that is until I ran out of room on my C drive and decided to rebuild it to remove my Win 98 partition (which I never reallyused) and make one big C partition out of many smaller ones on the 9G HD. During the rebuild I placed all my other folders on the \ for easy backup and recovery purposes. However I forgot that I locked down those two document folders when I proceeded to rebuild my C. Everything worked fine until I went to recover the files from those two folders and found out that the encryption bit was set and nothing I tried could clear it. Now the files are locked down so even I, using the administrator account, can't get at them no matter what I try. I'll give 2000 points to anyone who can help me clear the encryption bit on these two folders and their files. I have tried numerous NTFS and MMC security settings but to no avail. I need those documents back.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

MMC Security Policies and NTFS security

by Curacao_Dejavu In reply to MMC Security Policies and ...

Check the MS KB Article I Q230490

The best is to join a w2k domain (dualboot your wife's laptop with w2k advanced server )and let a recover agent recover the files.


SUMMARY
The Encrypting File System (EFS) supports data recovery by allowing recovery agents to recover file encryption keys (FEKs) and decrypt users' files. The Encrypted Data Recovery policy (EDRP) is configurable for both a domain and a stand-alone server and must be configured by an administrator.

Once the EDRP is configured, it can be updated to specify who can recover FEKs in the event that a user's private key becomes unavailable or unusable. This may occur when an individual user account becomes damaged, is deleted, or becomes otherwise unusable. Multiple recovery agents can be configured, and in no case is any user's private key revealed to a recovery agent. When a user's private key becomes unavailable, an agent can use his or her private key to decrypt the FEK that was originally used in the file encryption process. After the FEK is obtained, the recovery agent can then decrypt the user's file.


MORE INFORMATION
To assist in FEK recovery, each FEK is encrypted with all public keys in the EDRP. Each encrypted FEK is stored in the Data Recovery field (DRF) containing the FEK created when a file is encrypted. If there is one recovery agent, there is one DRF for each encrypted file. When there are two recovery agents, there are two DRFs for each encrypted file, and so on.

more to come

Leopold

Collapse -

MMC Security Policies and NTFS security

by Curacao_Dejavu In reply to MMC Security Policies and ...

rest:

The default on a stand-alone server includes only the local administrator in the EDRP. After the Dcpromo tool is used and a domain is realized, a default EDRP is created for the entire domain. At this point, all members of the domain participate in the EDRP. This policy uses a self-signed certificate to make the administrator account the recovery agent.

To make changes on a stand-alone server and add recovery agents:

Start the Microsoft Management Console (MMC).


Add the Group Policy snap-in for the local computer (this is the default Group Policy Object).


Open the following sections: Computer Configuration; Windows Settings; Security Settings; Public Key Policies; Encrypted Data Recovery Policy.


Right-click Encrypted Data Recovery Policy, and then click Add.


Follow the instructions in the wizard to add recovery agents.


To make changes to a domain structure and add recovery agents:
Start the Microsoft Management Console (MMC).


Add the Group Policy snap-in for the default domain policy. To do this, click Browse when you are prompted to select a Group Policy Object (GPO). You can also add GPOs for other domain partitions (specifically, Organizational Units).


Open the following sections: Computer Configuration; Windows Settings; Security Settings; Public Key Policies; Encrypted Data Recovery Policy.


Right-click Encrypted Data Recovery Policy, and then click Add.


Follow the instructions in the Wizard to add recovery agents.

Collapse -

MMC Security Policies and NTFS security

by Unicornrider In reply to MMC Security Policies and ...

The question was auto-closed by TechRepublic

Collapse -

MMC Security Policies and NTFS security

by maxwell edison In reply to MMC Security Policies and ...

You can do this with the Windows 2000 Recovery Console. The Recover Console allows you to boot to a command prompt version of the OS and perform some basic recovery tasks.

Among those recovery tasks are:

"Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders"

See this link for the full details:

http://www.onecomputerguy.com/install/w2k_recovery_console.htm

>> REMOVE SPACES from the pasted URL <<

Good luck,

Maxwell

Collapse -

MMC Security Policies and NTFS security

by Unicornrider In reply to MMC Security Policies and ...

The question was auto-closed by TechRepublic

Collapse -

MMC Security Policies and NTFS security

by Unicornrider In reply to MMC Security Policies and ...

This question was auto closed due to inactivity

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums