DRA is Decrypting Files when it shouldn't be!!!

I setup a brand new XP install. Setup a new local user named Joe and logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex: Cipher
/r:Filename, imported certificate and private key into the local certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt the
directory while logged in as Administrator and it let me!!! Why is this? It
shouldn't allow me to decrypt 200 files that were encrypted before a DRA was
created.

I don't get this crap. Many articles state that you have to create the DRA
before encrypting the files so that the DRA can decrypt them. If you don't
then, you need to run cipher /u to update the encrypted files so that the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

Hmm. Have you tried that first exporting/deleting the user's private key
before creating the RA to see what happens or rebooting the computer before
you created the RA with cipher /R with the user's private key still on the
computer? XP is supposed to flush EFS cache at logoff. Did you remove any
old RA from the RA user certificate store via mmc snapin for certificates
and then logoff as the RA? You can use efsinfo to see what RAs are included
in a user's EFS file and examine the certificate thumbprint to see exactly
what RA certificate is being used if there are more than one available. You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex: Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
the
directory while logged in as Administrator and it let me!!! Why is this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a DRA
was
created.

I don't get this crap. Many articles state that you have to create the DRA
before encrypting the files so that the DRA can decrypt them. If you don't
then, you need to run cipher /u to update the encrypted files so that the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

Steve, I did what you said (below) and "exported" & "deleted" the user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's private key
before creating the RA to see what happens or rebooting the computer before
you created the RA with cipher /R with the user's private key still on the
computer? XP is supposed to flush EFS cache at logoff. Did you remove any
old RA from the RA user certificate store via mmc snapin for certificates
and then logoff as the RA? You can use efsinfo to see what RAs are included
in a user's EFS file and examine the certificate thumbprint to see exactly
what RA certificate is being used if there are more than one available. You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex: Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
the
directory while logged in as Administrator and it let me!!! Why is this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a DRA
was
created.

I don't get this crap. Many articles state that you have to create the DRA
before encrypting the files so that the DRA can decrypt them. If you don't
then, you need to run cipher /u to update the encrypted files so that the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

So what did you exactly do? Create a user, encrypt some files, remove the
user' EFS certificate private key, create an RA, and not be able to decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's private key
before creating the RA to see what happens or rebooting the computer
before
you created the RA with cipher /R with the user's private key still on
the
computer? XP is supposed to flush EFS cache at logoff. Did you remove
any
old RA from the RA user certificate store via mmc snapin for certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and
logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
the
directory while logged in as Administrator and it let me!!! Why is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a
DRA
was
created.

I don't get this crap. Many articles state that you have to create the
DRA
before encrypting the files so that the DRA can decrypt them. If you
don't
then, you need to run cipher /u to update the encrypted files so that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator and
decrypted the 200 files.

In this case here, I created the RA after the files were already encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and told me
to "export" & "delete" the user's private key, before creating the RA. I did
this, and now the RA cannot delete the 200 files (which is the way it suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove the
user' EFS certificate private key, create an RA, and not be able to decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's private key
before creating the RA to see what happens or rebooting the computer
before
you created the RA with cipher /R with the user's private key still on
the
computer? XP is supposed to flush EFS cache at logoff. Did you remove
any
old RA from the RA user certificate store via mmc snapin for certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and
logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
the
directory while logged in as Administrator and it let me!!! Why is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a
DRA
was
created.

I don't get this crap. Many articles state that you have to create the
DRA
before encrypting the files so that the DRA can decrypt them. If you
don't
then, you need to run cipher /u to update the encrypted files so that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

Answers inline:


In article ,
says...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator and
decrypted the 200 files.

When you encrypted the files, the default RA certificate was used. The
default install will designate the first administrator account in XP as
the DRA in a non-domain environment.

In this case here, I created the RA after the files were already encrypted,
so why am I ABLE to decrypt the 200 files?

You need to check the certificate profile of the DRA user account. Run
certmgr.msc and look to see how many EFS recovery agent certificates you
have. Also, against the files, you can run EFSINFO /U /R /C which will
show you for the files what the thumbprint of the certificates that were
used during the encryption process.

Anyway, to resolve the problem, you asked me to do an experiment and told me
to "export" & "delete" the user's private key, before creating the RA. I did
this, and now the RA cannot delete the 200 files (which is the way it suppose
to work)

The goal is to not leave the RA's certificate in the user's profile. It
is kind of a break glass in case of emergency (translated = import the
certificate and private key only when needed).

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did I
do wrong?

You will be able to delete and work with the files when you import the
cert and private key back into the profile. In fact, it can be imported
into any profile, as the user name has absolutely nothing to do with the
decryption process, only access to the private key of the DRA or the
user.

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove the
user' EFS certificate private key, create an RA, and not be able to decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the user's
private key and now it's acting correctly. Why is this?

I just reproduced what you did and was not able to access the files as the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and told
me
to "export" & "delete" the user's private key, before creating the RA. I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA
can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's private
key
before creating the RA to see what happens or rebooting the computer
before
you created the RA with cipher /R with the user's private key still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and
logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a
DRA
was
created.

I don't get this crap. Many articles state that you have to create
the
DRA
before encrypting the files so that the DRA can decrypt them. If you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

Hi Brian.

I may be wrong but the behavior you describe for the default RA being
generated as the built in administrator account is unique to Windows 2000
and is not default behavior on an XP Pro computer. I have never seen an RA
on an XP Pro non domain workstation where a user has encrypted files unless
an administrator had taken the effort to create one and import it into Local
Security policy like the OP has done. --- Steve


"Brian Komar [MVP]" wrote in message
om...
Answers inline:


In article ,
says...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

When you encrypted the files, the default RA certificate was used. The
default install will designate the first administrator account in XP as
the DRA in a non-domain environment.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

You need to check the certificate profile of the DRA user account. Run
certmgr.msc and look to see how many EFS recovery agent certificates you
have. Also, against the files, you can run EFSINFO /U /R /C which will
show you for the files what the thumbprint of the certificates that were
used during the encryption process.

Anyway, to resolve the problem, you asked me to do an experiment and told
me
to "export" & "delete" the user's private key, before creating the RA. I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

The goal is to not leave the RA's certificate in the user's profile. It
is kind of a break glass in case of emergency (translated = import the
certificate and private key only when needed).

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did
I
do wrong?

You will be able to delete and work with the files when you import the
cert and private key back into the profile. In fact, it can be imported
into any profile, as the user name has absolutely nothing to do with the
decryption process, only access to the private key of the DRA or the
user.

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA
could
decrypt user's files, remove user's EFS certificate private key, and RA
can
no longer decrypt files?? Did you look to see if RA had more then one
RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

now log back in as the user and go to the "details" button and view who is a
RA for that file and you will see that "Administrator is the RA.

After you verify that the Administrator is the RA, log back out of the user
account and log back in as the "Administrator" and you will be able to
decrypt it.

"Steven L Umbach" wrote:

I just reproduced what you did and was not able to access the files as the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and told
me
to "export" & "delete" the user's private key, before creating the RA. I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA
can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's private
key
before creating the RA to see what happens or rebooting the computer
before
you created the RA with cipher /R with the user's private key still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and
logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a
DRA
was
created.

I don't get this crap. Many articles state that you have to create
the
DRA
before encrypting the files so that the DRA can decrypt them. If you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

your right, Brian is mistaken.

"Steven L Umbach" wrote:

Hi Brian.

I may be wrong but the behavior you describe for the default RA being
generated as the built in administrator account is unique to Windows 2000
and is not default behavior on an XP Pro computer. I have never seen an RA
on an XP Pro non domain workstation where a user has encrypted files unless
an administrator had taken the effort to create one and import it into Local
Security policy like the OP has done. --- Steve


"Brian Komar [MVP]" wrote in message
om...
Answers inline:


In article ,
says...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

When you encrypted the files, the default RA certificate was used. The
default install will designate the first administrator account in XP as
the DRA in a non-domain environment.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

You need to check the certificate profile of the DRA user account. Run
certmgr.msc and look to see how many EFS recovery agent certificates you
have. Also, against the files, you can run EFSINFO /U /R /C which will
show you for the files what the thumbprint of the certificates that were
used during the encryption process.

Anyway, to resolve the problem, you asked me to do an experiment and told
me
to "export" & "delete" the user's private key, before creating the RA. I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

The goal is to not leave the RA's certificate in the user's profile. It
is kind of a break glass in case of emergency (translated = import the
certificate and private key only when needed).

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did
I
do wrong?

You will be able to delete and work with the files when you import the
cert and private key back into the profile. In fact, it can be imported
into any profile, as the user name has absolutely nothing to do with the
decryption process, only access to the private key of the DRA or the
user.

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA
could
decrypt user's files, remove user's EFS certificate private key, and RA
can
no longer decrypt files?? Did you look to see if RA had more then one
RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

Well maybe we did something different as I used efsinfo to see if the newly
created RA [not by the user with cipher /R] was shown before logging onto
the user account and it was not as I expected. You indicated that the RA
could access the user's EFS files before logging on as the user after
creating the RA with the administrator account. --- Steve


"DJ" wrote in message
...
now log back in as the user and go to the "details" button and view who is
a
RA for that file and you will see that "Administrator is the RA.

After you verify that the Administrator is the RA, log back out of the
user
account and log back in as the "Administrator" and you will be able to
decrypt it.

"Steven L Umbach" wrote:

I just reproduced what you did and was not able to access the files as
the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only
one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE
an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE
enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and
told
me
to "export" & "delete" the user's private key, before creating the RA.
I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what
did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA
could
decrypt user's files, remove user's EFS certificate private key, and
RA
can
no longer decrypt files?? Did you look to see if RA had more then one
RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's
private
key
before creating the RA to see what happens or rebooting the
computer
before
you created the RA with cipher /R with the user's private key
still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you
remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe
and
logged
in as Joe . Created a new directory and encrypted 200 files in
this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why
is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted
before a
DRA
was
created.

I don't get this crap. Many articles state that you have to
create
the
DRA
before encrypting the files so that the DRA can decrypt them. If
you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already
encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

you didn't go far enough, after you log in as the built-in administrator and
create the RA, don't check to see if you can decrypt a file, because your
right, you won't be able to decrypt one.

Now, log back in as the user and go to the "details" button and view who is
the RA for one of the encrypted files, you will see that "Administrator" is
the RA.
Now log back out as the user, login as as the "Administrator" and you WILL
be able to decrypt it any file you want.

Now how can that be? You explain it to me. I don't get it.

A previously encrypted file should not be able to be decrypted with a RA I
created after the fact.

-----------------------------------------------------------

"Steven L Umbach" wrote:

I just reproduced what you did and was not able to access the files as the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and told
me
to "export" & "delete" the user's private key, before creating the RA. I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA
can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's private
key
before creating the RA to see what happens or rebooting the computer
before
you created the RA with cipher /R with the user's private key still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe and
logged
in as Joe . Created a new directory and encrypted 200 files in this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted before a
DRA
was
created.

I don't get this crap. Many articles state that you have to create
the
DRA
before encrypting the files so that the DRA can decrypt them. If you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

If you could, write out "step by step", "word for word" and i'll try to
create the result your receiving.

i'm just trying to get an RA to not be able to open an older encrypted file
(meaning an encrypted file that was encrypted before the RA was setup.
Because all i'm getting over here is an RA that seeing everything (every
pre-RA encrypted file on my drive)

Thanks, Dave

----------------------------------------------------------

"Steven L Umbach" wrote:

Well maybe we did something different as I used efsinfo to see if the newly
created RA [not by the user with cipher /R] was shown before logging onto
the user account and it was not as I expected. You indicated that the RA
could access the user's EFS files before logging on as the user after
creating the RA with the administrator account. --- Steve


"DJ" wrote in message
...
now log back in as the user and go to the "details" button and view who is
a
RA for that file and you will see that "Administrator is the RA.

After you verify that the Administrator is the RA, log back out of the
user
account and log back in as the "Administrator" and you will be able to
decrypt it.

"Steven L Umbach" wrote:

I just reproduced what you did and was not able to access the files as
the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only
one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE
an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE
enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and
told
me
to "export" & "delete" the user's private key, before creating the RA.
I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what
did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA
could
decrypt user's files, remove user's EFS certificate private key, and
RA
can
no longer decrypt files?? Did you look to see if RA had more then one
RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's
private
key
before creating the RA to see what happens or rebooting the
computer
before
you created the RA with cipher /R with the user's private key
still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you
remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe
and
logged
in as Joe . Created a new directory and encrypted 200 files in
this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why
is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted
before a
DRA
was
created.

I don't get this crap. Many articles state that you have to
create
the
DRA
before encrypting the files so that the DRA can decrypt them. If
you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already
encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

Because one you logged on as the user and the RA was configured via Group
Policy then the user's EFS files can be updated automagically to reflect the
RA though that does not always reliably happen which is why it is a good
idea to use cipher /u to try to force it on all EFS for the user. This all
requires that the user has their EFS private key on the computer or the
update of the RA will fail which is why you can not create a RA after the
fact to attempt to decrypt EFS files for a user that does not have their EFS
private key due to export/delete, reinstall or corrupt user profile. ---
Steve


"DJ" wrote in message
...
you didn't go far enough, after you log in as the built-in administrator
and
create the RA, don't check to see if you can decrypt a file, because your
right, you won't be able to decrypt one.

Now, log back in as the user and go to the "details" button and view who
is
the RA for one of the encrypted files, you will see that "Administrator"
is
the RA.
Now log back out as the user, login as as the "Administrator" and you WILL
be able to decrypt it any file you want.

Now how can that be? You explain it to me. I don't get it.

A previously encrypted file should not be able to be decrypted with a RA I
created after the fact.

-----------------------------------------------------------

"Steven L Umbach" wrote:

I just reproduced what you did and was not able to access the files as
the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only
one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE
an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE
enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and
told
me
to "export" & "delete" the user's private key, before creating the RA.
I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what
did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA
could
decrypt user's files, remove user's EFS certificate private key, and
RA
can
no longer decrypt files?? Did you look to see if RA had more then one
RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's
private
key
before creating the RA to see what happens or rebooting the
computer
before
you created the RA with cipher /R with the user's private key
still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you
remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe
and
logged
in as Joe . Created a new directory and encrypted 200 files in
this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why
is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted
before a
DRA
was
created.

I don't get this crap. Many articles state that you have to
create
the
DRA
before encrypting the files so that the DRA can decrypt them. If
you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already
encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ

what?

you have a phone I can call you at, work or home, today, tomorrow, etc?

i don't think your picking up what i'm putting down. i don't know if you
tried the exact way i'm doing it, but i'm having an RA decrypting files that
are older than the RA.

"Steven L Umbach" wrote:

Because one you logged on as the user and the RA was configured via Group
Policy then the user's EFS files can be updated automagically to reflect the
RA though that does not always reliably happen which is why it is a good
idea to use cipher /u to try to force it on all EFS for the user. This all
requires that the user has their EFS private key on the computer or the
update of the RA will fail which is why you can not create a RA after the
fact to attempt to decrypt EFS files for a user that does not have their EFS
private key due to export/delete, reinstall or corrupt user profile. ---
Steve


"DJ" wrote in message
...
you didn't go far enough, after you log in as the built-in administrator
and
create the RA, don't check to see if you can decrypt a file, because your
right, you won't be able to decrypt one.

Now, log back in as the user and go to the "details" button and view who
is
the RA for one of the encrypted files, you will see that "Administrator"
is
the RA.
Now log back out as the user, login as as the "Administrator" and you WILL
be able to decrypt it any file you want.

Now how can that be? You explain it to me. I don't get it.

A previously encrypted file should not be able to be decrypted with a RA I
created after the fact.

-----------------------------------------------------------

"Steven L Umbach" wrote:

I just reproduced what you did and was not able to access the files as
the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve


"DJ" wrote in message
...
Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only
one
RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE
an
RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE
enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator
and
decrypted the 200 files.

In this case here, I created the RA after the files were already
encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and
told
me
to "export" & "delete" the user's private key, before creating the RA.
I
did
this, and now the RA cannot delete the 200 files (which is the way it
suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what
did
I
do wrong?

Thanks, Dave

---------------------------------------------------

So what did you exactly do? Create a user, encrypt some files, remove
the
user' EFS certificate private key, create an RA, and not be able to
decrypt
files as RA or did you use your current configuration where the RA
could
decrypt user's files, remove user's EFS certificate private key, and
RA
can
no longer decrypt files?? Did you look to see if RA had more then one
RA
certificate?? --- Steve


"DJ" wrote in message
...
Steve, I did what you said (below) and "exported" & "deleted" the
user's
private key and now it's acting correctly. Why is this?

I don't understand, please explain.

Thanks, DJ

"Steven L Umbach" wrote:

Hmm. Have you tried that first exporting/deleting the user's
private
key
before creating the RA to see what happens or rebooting the
computer
before
you created the RA with cipher /R with the user's private key
still
on
the
computer? XP is supposed to flush EFS cache at logoff. Did you
remove
any
old RA from the RA user certificate store via mmc snapin for
certificates
and then logoff as the RA? You can use efsinfo to see what RAs are
included
in a user's EFS file and examine the certificate thumbprint to see
exactly
what RA certificate is being used if there are more than one
available.
You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" wrote in message
...
I setup a brand new XP install. Setup a new local user named Joe
and
logged
in as Joe . Created a new directory and encrypted 200 files in
this
directory.

Logged off and and logged in as Administrator. Created a DRA (ex:
Cipher
/r:Filename, imported certificate and private key into the local
certificate
store, Ran gpedit.msc and added DRA.). After this, I tried to
unencrypt
the
directory while logged in as Administrator and it let me!!! Why
is
this?
It
shouldn't allow me to decrypt 200 files that were encrypted
before a
DRA
was
created.

I don't get this crap. Many articles state that you have to
create
the
DRA
before encrypting the files so that the DRA can decrypt them. If
you
don't
then, you need to run cipher /u to update the encrypted files so
that
the
newly created DRA will work with older encrypted files.

In my case, I created the DRA after the files were already
encrypted
and
"never" ran a cipher /u. Does anybody know what could cause this?

Thanks, DJ