I originally saved a file and marked it for encryption while logged in as the domain administrator. So the original encrypting user and the recovery agent are one in the same.
Subsequently, I also had a giant distributed file system (DFS)/file replication service (FRS) mess here with redirected application settings folders, the result of which was that many users' profiles were at least partially lost. The user "administrator" was one such user. However, I have tape backups of all the application settings folders from the server before this happened.
Looking at Microsoft KB article 259732, EFS recovery agent cannot export private keys, I concluded that this profile mishap is the cause of my current inability to decrypt this file. I have tried to restore the relevant parts of the profile, but it hasn't yet made a difference.
I'm hoping you can give me some hope and direction. One thing I've discovered that may be of significance is that if I log on as the domain administrator and run the certificates snap-in in MMC, I can see a file recovery certificate, and exporting it allows me to include the private key. However, following the procedure in KB article 241201, Back up the recovery agent Encrypting File System private key in Windows 2000, I see a file recovery certificate also, but when I try to export the private keys, I get the symptoms described in EFS recovery agent cannot export private keys.
Thanks so very much for any help you can provide.
If you have good system backups (that is, if you have a system state backup) you can restore it to a new machine, copy the encrypted files there, log on as domain administrator and recover your files. If you do not have a system state backup, but think you have all of the profile, you may be able to restore this information and recover the file. You see, if the profile is corrupt, and if it is partial, the system will see it as corrupt and a new profile will be built.
This was first published in March 2003