Q

EFS recovery agent cannot export private keys

I am currently trying to recover private keys for EFS recovery. I see several questions posed to you regarding this. My situation is a little unique, though.

I originally saved a file and marked it for encryption while logged in as the domain administrator. So the original encrypting user and the recovery agent are one in the same.

Subsequently, I also had a giant distributed file system (DFS)/file replication service (FRS) mess here with redirected application settings folders, the result of which was that many users' profiles were at least partially lost. The user "administrator" was one such user. However, I have tape backups of all the application settings folders from the server before this happened.

Looking at Microsoft KB article 259732, EFS recovery agent cannot export private keys, I concluded that this profile mishap is the cause of my current inability to decrypt this file. I have tried to restore the relevant parts of the profile, but it hasn't yet made a difference.

I'm hoping you can give me some hope and direction. One thing I've discovered that may be of significance is that if I log on as the domain administrator and run the certificates snap-in in MMC, I can see a file recovery certificate, and exporting it allows me to include the private key. However, following the procedure in KB article 241201, Back up the recovery agent Encrypting File System private key in Windows 2000, I see a file recovery certificate also, but when I try to export the private keys, I get the symptoms described in EFS recovery agent cannot export private keys.

Thanks so very much for any help you can provide.

You need to examine the files and determine which certificate was used. When you create a new domain administrator profile, a new certificate is created -- this may be the certificate you are seeing, and of course, it won't work. You can use the resource kit tool ESFINFO.EXE to discover the identifying information on the certificate you need and see if this is the case (that the new cert does not match).

If you have good system backups (that is, if you have a system state backup) you can restore it to a new machine, copy the encrypted files there, log on as domain administrator and recover your files. If you do not have a system state backup, but think you have all of the profile, you may be able to restore this information and recover the file. You see, if the profile is corrupt, and if it is partial, the system will see it as corrupt and a new profile will be built.

This was first published in March 2003

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close