All,

Please note that I have read the FAQ...

Here is my problem, I have a Power User Account. I changed that
account to an Administrator. When I logged in, it forced me to change
the password. I simply changed it to its current password. I did my
thing, logged off, logged in to default admin, changed account back to
PU acct. Log out of Admin, log in to PU acct. and now I cannot access
EFS files.

After reading/research, I log on to account and use control panel to
change my password, change it to the password. Still no access to EFS
files.

Hmmm. Log on to admin, restore files from backup, still no acccess.

Hmmm. Use MMC and try to make sure that default admin is recovery
agent and he is not, no one is. So i try to add Admin acct as
Recovery agent, but, there is no *.cer file on local machine.

Any suggestions?

My understnading was, since the password changed, that is what screwed
up the EFS. But, according the KB article, logging in as user and
changeing password with control panel, I should have access to my EFS
files back.

I have a sinking feeling, but appreciate any suggestions...

Dave

I am not sure at which point your EFS access was broken,=20
but here are some observations.

A recovery agent will only be of use if it was set up before=20
the files were encrypted or last touched. Doing this after=20
the fact will not assist in your current dilemma. You use=20
the commandline cipher utility to generate the needed=20
cert/key for the recovery agent. It is all in here=20
http://microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery

Since your account is now set with the same password as before,=20
and since changing the group memberships of an account should=20
have not impact on the operation of EFS, we need to figure out=20
what has happened to your account.
There is a tool, efsinfo.exe, that you can use to see what thumbprint=20
is associated with the encrypted files, and the account's current=20
certificate. You can get this by installing the Support Tools from=20
the similarly named directory of the Windows XP CD.
You should also use the Certificates mmc console to look at the=20
private certificates for EFS of the account in question - particularly=20
checking to see if there is more than one.

--=20
Roger=20

> wrote in message =
om...
> All,
>=20
> Please note that I have read the FAQ...
>=20
> Here is my problem, I have a Power User Account. I changed that
> account to an Administrator. When I logged in, it forced me to change
> the password. I simply changed it to its current password. I did my
> thing, logged off, logged in to default admin, changed account back to
> PU acct. Log out of Admin, log in to PU acct. and now I cannot access
> EFS files.
>=20
> After reading/research, I log on to account and use control panel to
> change my password, change it to the password. Still no access to EFS
> files.
>=20
> Hmmm. Log on to admin, restore files from backup, still no acccess.
>=20
> Hmmm. Use MMC and try to make sure that default admin is recovery
> agent and he is not, no one is. So i try to add Admin acct as
> Recovery agent, but, there is no *.cer file on local machine.
>=20
> Any suggestions?
>=20
> My understnading was, since the password changed, that is what screwed
> up the EFS. But, according the KB article, logging in as user and
> changeing password with control panel, I should have access to my EFS
> files back.
>=20
> I have a sinking feeling, but appreciate any suggestions...
>=20
> Dave

weird - remember a few weeks ago somebody posted a similar
story? i can't remember how it was resolved. changing
groups *should* _not_ effect efs.

yeah - check with efsinfo and check in your profile
folder\application data\microsoft\systemcertificates\ for a
matching filename. also check with certs in mmc.

if your still stuck give us a yell.


>-----Original Message-----
>I am not sure at which point your EFS access was broken,
>but here are some observations.
>
>A recovery agent will only be of use if it was set up before
>the files were encrypted or last touched. Doing this after
>the fact will not assist in your current dilemma. You use
>the commandline cipher utility to generate the needed
>cert/key for the recovery agent. It is all in here
>
http://microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery
>
>Since your account is now set with the same password as
before,
>and since changing the group memberships of an account should
>have not impact on the operation of EFS, we need to figure
out
>what has happened to your account.
>There is a tool, efsinfo.exe, that you can use to see what
thumbprint
>is associated with the encrypted files, and the account's
current
>certificate. You can get this by installing the Support
Tools from
>the similarly named directory of the Windows XP CD.
>You should also use the Certificates mmc console to look
at the
>private certificates for EFS of the account in question -
particularly
>checking to see if there is more than one.
>
>--
>Roger
>
> wrote in message
om...
>> All,
>>
>> Please note that I have read the FAQ...
>>
>> Here is my problem, I have a Power User Account. I
changed that
>> account to an Administrator. When I logged in, it
forced me to change
>> the password. I simply changed it to its current
password. I did my
>> thing, logged off, logged in to default admin, changed
account back to
>> PU acct. Log out of Admin, log in to PU acct. and now I
cannot access
>> EFS files.
>>
>> After reading/research, I log on to account and use
control panel to
>> change my password, change it to the password. Still no
access to EFS
>> files.
>>
>> Hmmm. Log on to admin, restore files from backup, still
no acccess.
>>
>> Hmmm. Use MMC and try to make sure that default admin
is recovery
>> agent and he is not, no one is. So i try to add Admin
acct as
>> Recovery agent, but, there is no *.cer file on local
machine.
>>
>> Any suggestions?
>>
>> My understnading was, since the password changed, that
is what screwed
>> up the EFS. But, according the KB article, logging in
as user and
>> changeing password with control panel, I should have
access to my EFS
>> files back.
>>
>> I have a sinking feeling, but appreciate any suggestions...
>>
>> Dave
>.
>

Hi Peter,=20

I must have missed the post to which you refer,=20
as this is the first I recall where change of group=20
is the main implicated action.

--=20
Roger=20

"Peter Clark" > wrote in message =
...
> weird - remember a few weeks ago somebody posted a similar
> story? i can't remember how it was resolved. changing
> groups *should* _not_ effect efs.
>=20
> yeah - check with efsinfo and check in your profile
> folder\application data\microsoft\systemcertificates\ for a
> matching filename. also check with certs in mmc.
>=20
> if your still stuck give us a yell.
>=20
>=20
> >-----Original Message-----
> >I am not sure at which point your EFS access was broken,=20
> >but here are some observations.
> >
> >A recovery agent will only be of use if it was set up before=20
> >the files were encrypted or last touched. Doing this after=20
> >the fact will not assist in your current dilemma. You use=20
> >the commandline cipher utility to generate the needed=20
> >cert/key for the recovery agent. It is all in here=20
> >
> http://microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery
> >
> >Since your account is now set with the same password as
> before,=20
> >and since changing the group memberships of an account should=20
> >have not impact on the operation of EFS, we need to figure
> out=20
> >what has happened to your account.
> >There is a tool, efsinfo.exe, that you can use to see what
> thumbprint=20
> >is associated with the encrypted files, and the account's
> current=20
> >certificate. You can get this by installing the Support
> Tools from=20
> >the similarly named directory of the Windows XP CD.
> >You should also use the Certificates mmc console to look
> at the=20
> >private certificates for EFS of the account in question -
> particularly=20
> >checking to see if there is more than one.
> >
> >--=20
> >Roger=20
> >
> > wrote in message
> om...
> >> All,
> >>=20
> >> Please note that I have read the FAQ...
> >>=20
> >> Here is my problem, I have a Power User Account. I
> changed that
> >> account to an Administrator. When I logged in, it
> forced me to change
> >> the password. I simply changed it to its current
> password. I did my
> >> thing, logged off, logged in to default admin, changed
> account back to
> >> PU acct. Log out of Admin, log in to PU acct. and now I
> cannot access
> >> EFS files.
> >>=20
> >> After reading/research, I log on to account and use
> control panel to
> >> change my password, change it to the password. Still no
> access to EFS
> >> files.
> >>=20
> >> Hmmm. Log on to admin, restore files from backup, still
> no acccess.
> >>=20
> >> Hmmm. Use MMC and try to make sure that default admin
> is recovery
> >> agent and he is not, no one is. So i try to add Admin
> acct as
> >> Recovery agent, but, there is no *.cer file on local
> machine.
> >>=20
> >> Any suggestions?
> >>=20
> >> My understnading was, since the password changed, that
> is what screwed
> >> up the EFS. But, according the KB article, logging in
> as user and
> >> changeing password with control panel, I should have
> access to my EFS
> >> files back.
> >>=20
> >> I have a sinking feeling, but appreciate any suggestions...
> >>=20
> >> Dave
> >.
> >

I think I have found part of the problem. For some reason it appears
that the account was renamed from Dave User to Dave. Maybe.

My profile path is still C:\...\Dave User\....

Also, I do have two personal certificates fo this account, one for
user Dave, and one for Dave User from a while back, probably account
creattion.

here is the mmc text export...
Issued To Issued By Expiration Date Intended Purposes Friendly
Name Status Certificate Template
Dave Dave 4/8/2103 Encrypting File System <None>
Dave User Dave User 8/7/2102 Encrypting File System <None>
Another very strange problem. I cannot change the user password from
the user account. Says does not meet complexity requirements, etc.,
however, logging into admin and checking Local Security Policy,
password complexity is disabled!

Is there hope for recovering the files? Seems if I could just get
back to using the Dave User certificate, all would be well. However,
if I delete the dave cert, another one just gets created.


"Roger Abell [MVP]" > wrote in message >...
> I am not sure at which point your EFS access was broken,
> but here are some observations.
>
> A recovery agent will only be of use if it was set up before
> the files were encrypted or last touched. Doing this after
> the fact will not assist in your current dilemma. You use
> the commandline cipher utility to generate the needed
> cert/key for the recovery agent. It is all in here
> http://microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery
>
> Since your account is now set with the same password as before,
> and since changing the group memberships of an account should
> have not impact on the operation of EFS, we need to figure out
> what has happened to your account.
> There is a tool, efsinfo.exe, that you can use to see what thumbprint
> is associated with the encrypted files, and the account's current
> certificate. You can get this by installing the Support Tools from
> the similarly named directory of the Windows XP CD.
> You should also use the Certificates mmc console to look at the
> private certificates for EFS of the account in question - particularly
> checking to see if there is more than one.
>
> --
> Roger
>
> > wrote in message
> om...
> > All,
> >
> > Please note that I have read the FAQ...
> >
> > Here is my problem, I have a Power User Account. I changed that
> > account to an Administrator. When I logged in, it forced me to change
> > the password. I simply changed it to its current password. I did my
> > thing, logged off, logged in to default admin, changed account back to
> > PU acct. Log out of Admin, log in to PU acct. and now I cannot access
> > EFS files.
> >
> > After reading/research, I log on to account and use control panel to
> > change my password, change it to the password. Still no access to EFS
> > files.
> >
> > Hmmm. Log on to admin, restore files from backup, still no acccess.
> >
> > Hmmm. Use MMC and try to make sure that default admin is recovery
> > agent and he is not, no one is. So i try to add Admin acct as
> > Recovery agent, but, there is no *.cer file on local machine.
> >
> > Any suggestions?
> >
> > My understnading was, since the password changed, that is what screwed
> > up the EFS. But, according the KB article, logging in as user and
> > changeing password with control panel, I should have access to my EFS
> > files back.
> >
> > I have a sinking feeling, but appreciate any suggestions...
> >
> > Dave

Renaming an account should not cause these issues,=20
and when an account is renamed it is normal for the=20
profile area on disk to retain the name that existed=20
when the account was first logged into.

I would focus on getting the data back first, and then=20
on making the account function correctly. That you=20
are seeing a second EFS cert created when you have=20
deleted the new one and then try to use EFS is showing=20
that the older certificate is not being recognized as=20
usable (obviously!). I would first try, though doubt=20
it will work, exporting the older certificate, using the=20
Certificates snap-in when the account has the last=20
known working (for EFS) password and it is the only=20
certificate showing. If this works, I would then import=20
that EFS certificate with key into a newly defined local=20
account, and use that account to get the data stored in=20
the clear without EFS encryption.
If you are not able to export the certificate and key,=20
then think very hard over the recent history, focusing=20
on passwords. You have to have the account set to=20
use the correct password for the cert/key to be accessible=20
for EFS use.
Before you go too much further you may want to make=20
a backup using ntbackup.exe in which you include the=20
EFS encrypted files, your account's profile from Doc=20
and Settings, and the System State.

--=20
Roger=20

> wrote in message =
om...
> I think I have found part of the problem. For some reason it appears
> that the account was renamed from Dave User to Dave. Maybe.
>=20
> My profile path is still C:\...\Dave User\....
>=20
> Also, I do have two personal certificates fo this account, one for
> user Dave, and one for Dave User from a while back, probably account
> creattion.
>=20
> here is the mmc text export...
> Issued To Issued By Expiration Date Intended Purposes Friendly
> Name Status Certificate Template
> Dave Dave 4/8/2103 Encrypting File System <None> =20
> Dave User Dave User 8/7/2102 Encrypting File System <None> =20
> Another very strange problem. I cannot change the user password from
> the user account. Says does not meet complexity requirements, etc.,
> however, logging into admin and checking Local Security Policy,
> password complexity is disabled!
>=20
> Is there hope for recovering the files? Seems if I could just get
> back to using the Dave User certificate, all would be well. However,
> if I delete the dave cert, another one just gets created.
>=20
>=20
> "Roger Abell [MVP]" > wrote in message =
>...
> > I am not sure at which point your EFS access was broken,=20
> > but here are some observations.
> >=20
> > A recovery agent will only be of use if it was set up before=20
> > the files were encrypted or last touched. Doing this after=20
> > the fact will not assist in your current dilemma. You use=20
> > the commandline cipher utility to generate the needed=20
> > cert/key for the recovery agent. It is all in here=20
> > http://microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery
> >=20
> > Since your account is now set with the same password as before,=20
> > and since changing the group memberships of an account should=20
> > have not impact on the operation of EFS, we need to figure out=20
> > what has happened to your account.
> > There is a tool, efsinfo.exe, that you can use to see what =
thumbprint=20
> > is associated with the encrypted files, and the account's current=20
> > certificate. You can get this by installing the Support Tools from=20
> > the similarly named directory of the Windows XP CD.
> > You should also use the Certificates mmc console to look at the=20
> > private certificates for EFS of the account in question - =
particularly=20
> > checking to see if there is more than one.
> >=20
> > --=20
> > Roger=20
> >=20
> > > wrote in message=20
> > om...
> > > All,
> > >=20
> > > Please note that I have read the FAQ...
> > >=20
> > > Here is my problem, I have a Power User Account. I changed that
> > > account to an Administrator. When I logged in, it forced me to =
change
> > > the password. I simply changed it to its current password. I did =
my
> > > thing, logged off, logged in to default admin, changed account =
back to
> > > PU acct. Log out of Admin, log in to PU acct. and now I cannot =
access
> > > EFS files.
> > >=20
> > > After reading/research, I log on to account and use control panel =
to
> > > change my password, change it to the password. Still no access to =
EFS
> > > files.
> > >=20
> > > Hmmm. Log on to admin, restore files from backup, still no =
acccess.
> > >=20
> > > Hmmm. Use MMC and try to make sure that default admin is recovery
> > > agent and he is not, no one is. So i try to add Admin acct as
> > > Recovery agent, but, there is no *.cer file on local machine.
> > >=20
> > > Any suggestions?
> > >=20
> > > My understnading was, since the password changed, that is what =
screwed
> > > up the EFS. But, according the KB article, logging in as user and
> > > changeing password with control panel, I should have access to my =
EFS
> > > files back.
> > >=20
> > > I have a sinking feeling, but appreciate any suggestions...
> > >=20
> > > Dave

Roger,

Thanks for all the help so far. Obviously, I should have studied EFS
before enabling it, but, I had been using it for a year with no
problems. It only takes one time...

Anyway, I haven't checked, but, could this be an ownership issue also?
When I try to view the files encrypted with the thumbprint from the
Dave User cert, I get "Access Denied". I assume that message is sent
because of encryption, but, I got to wondering about ownership,
especially now since my account name is Dave for some reason.

Here is my plan of atack, in case that doesn't work. Use the
certicates mmc snap in, export the Dave User certificate (in *.p7b
format??), log in to admin, create new account, import cert to that
account, restore files from backup to that new account, try to
decrypt.

Does that sound right?

One note, again, the password was set from the Computer Management
Admin tool to the password it used to be, but, since there was no luck
with that, I log into acct and try to use the Control Panel and set
password from the account. It is not letting me though. Gives me the
business about complexity, etc., however, there is no policy for
complexity. :/

Seems this account is hosed, but, seems like I should still be able to
decrypt those files since I still have a cert with that thumbprint.

Suggestions/Comments?

V/R,
Dave

"Roger Abell [MVP]" > wrote in message >...
> Renaming an account should not cause these issues,
> and when an account is renamed it is normal for the
> profile area on disk to retain the name that existed
> when the account was first logged into.
>
> I would focus on getting the data back first, and then
> on making the account function correctly. That you
> are seeing a second EFS cert created when you have
> deleted the new one and then try to use EFS is showing
> that the older certificate is not being recognized as
> usable (obviously!). I would first try, though doubt
> it will work, exporting the older certificate, using the
> Certificates snap-in when the account has the last
> known working (for EFS) password and it is the only
> certificate showing. If this works, I would then import
> that EFS certificate with key into a newly defined local
> account, and use that account to get the data stored in
> the clear without EFS encryption.
> If you are not able to export the certificate and key,
> then think very hard over the recent history, focusing
> on passwords. You have to have the account set to
> use the correct password for the cert/key to be accessible
> for EFS use.
> Before you go too much further you may want to make
> a backup using ntbackup.exe in which you include the
> EFS encrypted files, your account's profile from Doc
> and Settings, and the System State.
>
> --
> Roger
>

roger; no worry, it may of been in the 2ksecgroup or done
via email.



dave:

did you get a message like:

(with username)
logon message:
you are required to change your password at first logon.

this seems to break efs as it does not update the locking
file which secures your private/public keys. however you
can regain access by changing the password back to the
exact orginal - i guess you did?

renamed from "Dave User" to "Dave" - are you sure this is
not a username/fullname muddle? check with lusrmgr.msc -
username/fullname change should not effect efs as it uses
the user number.

the orginal cert could not be used - why??

01. password was not changed back to _exact_ orginal

02. some files are missing - for each cert in mmc, open -
is there a private that corresponds?
browse to doc&sets\%username\application
data\microsoft\protect\s-1-5-21-%machinesid%-%userno%
are there two guid(388bytes) and one preferred(24bytes)
named files present?

03. the file doc&sets\%username\application
data\microsoft\protect\credhist could be corrupt
it is possible to create new one.

passwords most complexity requirements = disabled may still
trigger such a prompt - are the other settings
0/42/0/0/disabled/disabled?
out of interest, is this machine with fullupdates, sp1 or
defaultinstall?

can you download filemon from sysinternals.com - run it and
try and access a file that you get the denied message for
and then save the log and email it over? this may help to
determine exactly where efs is falling over.


>-----Original Message-----
>Roger,
>
>Thanks for all the help so far. Obviously, I should have
studied EFS
>before enabling it, but, I had been using it for a year
with no
>problems. It only takes one time...
>
>Anyway, I haven't checked, but, could this be an ownership
issue also?
> When I try to view the files encrypted with the
thumbprint from the
>Dave User cert, I get "Access Denied". I assume that
message is sent
>because of encryption, but, I got to wondering about
ownership,
>especially now since my account name is Dave for some reason.
>
>Here is my plan of atack, in case that doesn't work. Use the
>certicates mmc snap in, export the Dave User certificate
(in *.p7b
>format??), log in to admin, create new account, import
cert to that
>account, restore files from backup to that new account, try to
>decrypt.
>
>Does that sound right?
>
>One note, again, the password was set from the Computer
Management
>Admin tool to the password it used to be, but, since there
was no luck
>with that, I log into acct and try to use the Control
Panel and set
>password from the account. It is not letting me though.
Gives me the
>business about complexity, etc., however, there is no
policy for
>complexity. :/
>
>Seems this account is hosed, but, seems like I should
still be able to
>decrypt those files since I still have a cert with that
thumbprint.
>
>Suggestions/Comments?
>
>V/R,
>Dave
>
>"Roger Abell [MVP]" > wrote in message
>...
>> Renaming an account should not cause these issues,
>> and when an account is renamed it is normal for the
>> profile area on disk to retain the name that existed
>> when the account was first logged into.
>>
>> I would focus on getting the data back first, and then
>> on making the account function correctly. That you
>> are seeing a second EFS cert created when you have
>> deleted the new one and then try to use EFS is showing
>> that the older certificate is not being recognized as
>> usable (obviously!). I would first try, though doubt
>> it will work, exporting the older certificate, using the
>> Certificates snap-in when the account has the last
>> known working (for EFS) password and it is the only
>> certificate showing. If this works, I would then import
>> that EFS certificate with key into a newly defined local
>> account, and use that account to get the data stored in
>> the clear without EFS encryption.
>> If you are not able to export the certificate and key,
>> then think very hard over the recent history, focusing
>> on passwords. You have to have the account set to
>> use the correct password for the cert/key to be accessible
>> for EFS use.
>> Before you go too much further you may want to make
>> a backup using ntbackup.exe in which you include the
>> EFS encrypted files, your account's profile from Doc
>> and Settings, and the System State.
>>
>> --
>> Roger
>>
>.
>

Failure to open a file due to encryption look just=20
like failure due to permissions.
You can always check the permissions if you doubt=20
that the account has sufficient NTFS permission.=20
The account does not need to the the owner.

I would use pfx as the export/import format.
When importing do not select to have it prompt=20
on use, that will not work.

--=20
Roger=20

> wrote in message =
m...
> Roger,
>=20
> Thanks for all the help so far. Obviously, I should have studied EFS
> before enabling it, but, I had been using it for a year with no
> problems. It only takes one time...
>=20
> Anyway, I haven't checked, but, could this be an ownership issue also?
> When I try to view the files encrypted with the thumbprint from the
> Dave User cert, I get "Access Denied". I assume that message is sent
> because of encryption, but, I got to wondering about ownership,
> especially now since my account name is Dave for some reason.
>=20
> Here is my plan of atack, in case that doesn't work. Use the
> certicates mmc snap in, export the Dave User certificate (in *.p7b
> format??), log in to admin, create new account, import cert to that
> account, restore files from backup to that new account, try to
> decrypt.
>=20
> Does that sound right?
>=20
> One note, again, the password was set from the Computer Management
> Admin tool to the password it used to be, but, since there was no luck
> with that, I log into acct and try to use the Control Panel and set
> password from the account. It is not letting me though. Gives me the
> business about complexity, etc., however, there is no policy for
> complexity. :/
>=20
> Seems this account is hosed, but, seems like I should still be able to
> decrypt those files since I still have a cert with that thumbprint.
>=20
> Suggestions/Comments?
>=20
> V/R,
> Dave
>=20
> "Roger Abell [MVP]" > wrote in message =
>...
> > Renaming an account should not cause these issues,=20
> > and when an account is renamed it is normal for the=20
> > profile area on disk to retain the name that existed=20
> > when the account was first logged into.
> >=20
> > I would focus on getting the data back first, and then=20
> > on making the account function correctly. That you=20
> > are seeing a second EFS cert created when you have=20
> > deleted the new one and then try to use EFS is showing=20
> > that the older certificate is not being recognized as=20
> > usable (obviously!). I would first try, though doubt=20
> > it will work, exporting the older certificate, using the=20
> > Certificates snap-in when the account has the last=20
> > known working (for EFS) password and it is the only=20
> > certificate showing. If this works, I would then import=20
> > that EFS certificate with key into a newly defined local=20
> > account, and use that account to get the data stored in=20
> > the clear without EFS encryption.
> > If you are not able to export the certificate and key,=20
> > then think very hard over the recent history, focusing=20
> > on passwords. You have to have the account set to=20
> > use the correct password for the cert/key to be accessible=20
> > for EFS use.
> > Before you go too much further you may want to make=20
> > a backup using ntbackup.exe in which you include the=20
> > EFS encrypted files, your account's profile from Doc=20
> > and Settings, and the System State.
> >=20
> > --=20
> > Roger=20
> >

Peter & Roger,

Please see my comments/responses inlined below...

"Peter Clark" > wrote in message >...
> roger; no worry, it may of been in the 2ksecgroup or done
> via email.
>
>
>
> dave:
>
> did you get a message like:
>
> (with username)
> logon message:
> you are required to change your password at first logon.
>

Yes, I did. This seems to be exactly what "broke" my efs.

> this seems to break efs as it does not update the locking
> file which secures your private/public keys. however you
> can regain access by changing the password back to the
> exact orginal - i guess you did?
>

Yep changed it back to the original, however, could only do this from
the admin account. When I try from user account fails, see below...

> renamed from "Dave User" to "Dave" - are you sure this is
> not a username/fullname muddle? check with lusrmgr.msc -
> username/fullname change should not effect efs as it uses
> the user number.

I am inclined to believe this is not really a problem at all.

>
> the orginal cert could not be used - why??
>
> 01. password was not changed back to _exact_ orginal
>

see above comments...

> 02. some files are missing - for each cert in mmc, open -
> is there a private that corresponds?
> browse to doc&sets\%username\application
> data\microsoft\protect\s-1-5-21-%machinesid%-%userno%
> are there two guid(388bytes) and one preferred(24bytes)
> named files present?
>

tried this and sure enough, it appears the private key may be gone. i
didnt check registry, I used the certificates snap in and tried
something, cant recall exactly, but, I was informed there was no
private key.

> 03. the file doc&sets\%username\application
> data\microsoft\protect\credhist could be corrupt
> it is possible to create new one.
>
> passwords most complexity requirements = disabled may still
> trigger such a prompt - are the other settings
> 0/42/0/0/disabled/disabled?
> out of interest, is this machine with fullupdates, sp1 or
> defaultinstall?
>

I believe I have all password stuff disabled, except that max passwd
age is 180 days, and the min length is 5 characters.
This is WinXP Pro w/SP1 and all updates applied.

> can you download filemon from sysinternals.com - run it and
> try and access a file that you get the denied message for
> and then save the log and email it over? this may help to
> determine exactly where efs is falling over.

I am not too concerned now, because I found my backups, looks like I
was thinking ahead and my really important data i backed up both
encrypted and decrypted. The only thing I will say is that I learned
a lot. I wish I had read/researched more beforehand, but, I assumed
EFS was "simple for the user". It is simple, however, you really need
to buff up on how it works and what all to backup. Also, before
encrypting, setup a Data Recovery Agent as there is not one by
default.

Anyway much thanks for the assistance you all have given. I think I
will call this a closed issue since I have my data now.

Dave

Thank goodness for backups (in the clear) !!=20

The message that there was no private key may be a misleading=20
message, something like there is no accessible private key would=20
quite possibly be more accurate.=20

Indeed, to use EFS=20
1. define and test a recovery agent (DRA)
2. store one's own, and the DRA's cert/key externally
3. use password recovery disks

The W2k version did have a default DRA, but this lead to an=20
exploit that make EFS data too easily penetrated, hence the new=20
design without a default DRA and with password sensitivity.
The strengthening made the eye of the needle more narrow,=20
and the point of it more sharp/painful.

--=20
Roger=20

> wrote in message =
om...
> Peter & Roger,
>=20
> Please see my comments/responses inlined below...
>=20
> "Peter Clark" > wrote in message =
>...
> > roger; no worry, it may of been in the 2ksecgroup or done
> > via email.
> >=20
> >=20
> >=20
> > dave:
> >=20
> > did you get a message like:
> >=20
> > (with username)
> > logon message:
> > you are required to change your password at first logon.
> >=20
>=20
> Yes, I did. This seems to be exactly what "broke" my efs.
>=20
> > this seems to break efs as it does not update the locking
> > file which secures your private/public keys. however you
> > can regain access by changing the password back to the
> > exact orginal - i guess you did?
> >
>=20
> Yep changed it back to the original, however, could only do this from
> the admin account. When I try from user account fails, see below...
> =20
> > renamed from "Dave User" to "Dave" - are you sure this is
> > not a username/fullname muddle? check with lusrmgr.msc -
> > username/fullname change should not effect efs as it uses
> > the user number.
>=20
> I am inclined to believe this is not really a problem at all.
>=20
> >=20
> > the orginal cert could not be used - why??
> >=20
> > 01. password was not changed back to _exact_ orginal
> >=20
>=20
> see above comments...
>=20
> > 02. some files are missing - for each cert in mmc, open -
> > is there a private that corresponds?
> > browse to doc&sets\%username\application
> > data\microsoft\protect\s-1-5-21-%machinesid%-%userno%
> > are there two guid(388bytes) and one preferred(24bytes)
> > named files present?
> >
>=20
> tried this and sure enough, it appears the private key may be gone. i
> didnt check registry, I used the certificates snap in and tried
> something, cant recall exactly, but, I was informed there was no
> private key.
> =20
> > 03. the file doc&sets\%username\application
> > data\microsoft\protect\credhist could be corrupt
> > it is possible to create new one.
> >=20
> > passwords most complexity requirements =3D disabled may still
> > trigger such a prompt - are the other settings
> > 0/42/0/0/disabled/disabled?
> > out of interest, is this machine with fullupdates, sp1 or
> > defaultinstall?
> >
>=20
> I believe I have all password stuff disabled, except that max passwd
> age is 180 days, and the min length is 5 characters.
> This is WinXP Pro w/SP1 and all updates applied.
> =20
> > can you download filemon from sysinternals.com - run it and
> > try and access a file that you get the denied message for
> > and then save the log and email it over? this may help to
> > determine exactly where efs is falling over.
>=20
> I am not too concerned now, because I found my backups, looks like I
> was thinking ahead and my really important data i backed up both
> encrypted and decrypted. The only thing I will say is that I learned
> a lot. I wish I had read/researched more beforehand, but, I assumed
> EFS was "simple for the user". It is simple, however, you really need
> to buff up on how it works and what all to backup. Also, before
> encrypting, setup a Data Recovery Agent as there is not one by
> default.
>=20
> Anyway much thanks for the assistance you all have given. I think I
> will call this a closed issue since I have my data now.
>=20
> Dave