A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How to get full access to all contents?



 
 
Thread Tools Display Modes
  #46  
Old December 21st 03, 12:28 AM
Dmitriy Kopnichev
external usenet poster
 
Posts: n/a
Default How to get full access to all contents?

Should I rename my computer to ME? Will I retain access to domain resources?
"Roger Abell" wrote in message
...
While logged in as an admin schedule a cmd prompt
to open in a couole minutes using task scheduler.
When the cmd prompt opens, it is running as System
(which is the local identity known to the domain
as machinename$).
There is no way I know of to actually log in as that
account, as you do not know the password.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
Importing the saved key didn't help. How to logon to the
"ME$(ME$@workgroup)" account?
"Roger Abell" wrote in message
...
NG list trimmed to security_admin

Have you yet tried importing the key that was saved into
an account ? When doing this, it will give you the option
to have it prompt you whenerver it is used, or to just do it.
You must select for it to just do it without prompting.
Account names like ME$ are usually the machine account
that represents the machine as a member in the domain.


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I haven't removed any account.
Isn't the "ME$(ME$@workgroup)" a user account? I used not the

cipher,
but
"Encryption Details for" the file window in "Advanced Attributes" of

the
file window. I saved a Private key to a .pfx file before I was

joined
the
domain and my computer was renamed by the domain administrators.
"Roger Abell" wrote in message
...
You may own the machine and the files may be yours,
but if it is encrypted and you cannot prove to the system
that you are supposed to be able to decrypt it then it will
not let you.

The only way to prove that you are supposed to be able
to access the EFS encrypted file is to use an account that
has loaded into it the decryption key that corresponds to
the certificate that was used to encrypt the file.

When you renamed the machine, apparently starting down
the road of denied access, something seems to have removed
that capability. When you used cipher to look at the file it
said that there was no user account allowed to decrypt it,
instead indicating the machine was allowed to decrypt it.
That, assuming you have reported accurately what you saw,
is something with which I am unfamiliar, either as to why it
got that way or how to get out of that situation.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
This is my file. I'm the only computer owner.
"Roger Abell" wrote in message
...
code 5 is probably access failure
in this case since you do not have EFS capability to decrypt
you are not allowed to modify who can decrypt

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I tried to add myself and/or another user to "Users Who Can
Transparently
Access this File" and got an error
"ERSADU
Error in adding new user(s). Error code 5."
"Roger Abell" wrote in message
...
When you look at the file's properties Security dialog
is anything checked for any group in the Deny column ?
You must highlight each group listed one at a time and
then look at what is Granted/Denied.
An account that is only in Administrators group is
actually also in other things to which there can be
NTFS Grants/Denies, like Authenticated Users,
Network, Interactive, Everyone. . . .
Not having EFS authorization appears as if it is a
NTFS permissions denial. You should use the cipher
commandline utility to examine the thumbprint info of
the file to see what accounts are allowed to decrypt it.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
How to become sure that there is no Deny for any group.

The
file
is
EFS
protected. But I can open other EFS protected files.
"Roger Abell" wrote in message
...
This means that you have full control and it is

inherited
from
some higher directory.
Are you sure that there is no Deny for some group, and

if
there is make sure your account is not a member of the
group.
Deny overrides a Grant.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I'm the Owner of the file and have full access, but

the
"Effective
permissions" are all checked and grayed for me.
"Kelly" wrote in message
...
Without knowing more, see if this helps:

EXE and LNK Fix for Windows XP - Line 12
http://www.kellys-korner-xp.com/xp_tweaks.htm

To use the Regedit: Save the REG File to your

hard
disk.
Double
click
it
and answer yes to the import prompt. REG files can

be
viewed
in
Notepad
by
right clicking on the file and selecting Edit.

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Top 10 Frequently Asked Questions and Answers
http://www.kellys-korner-xp.com/top10faqs.htm


"Dmitriy Kopnichev" wrote in

message
...
Hello
I get "Windows cannot access the specified

device,
path,
or
file.
You
may
not have appropriate permissions to access the

item."
when
I
double-click
a
file. I'm the only owner of the computer. How to

get
full
access
to
all
contents?





























Ads
  #47  
Old December 21st 03, 12:28 AM
Dmitriy Kopnichev
external usenet poster
 
Posts: n/a
Default How to get full access to all contents?

"Computer name changes
The following error occurred attempting to rename the computer to "ME":
Multiple connection to a server or shared resource by the same user, using
more than one user name, are not allowed. Disconnect all previous
connections to the server or shared resource." I haven't used more than one
user name. I have only one domain user name. How to disconnect all previous
connections to the server or shared resource?
Should I rename my computer to "ME" and become a member of "Workgroup"
instead of our domain?
"Roger Abell" wrote in message
...
While logged in as an admin schedule a cmd prompt
to open in a couole minutes using task scheduler.
When the cmd prompt opens, it is running as System
(which is the local identity known to the domain
as machinename$).
There is no way I know of to actually log in as that
account, as you do not know the password.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
Importing the saved key didn't help. How to logon to the
"ME$(ME$@workgroup)" account?
"Roger Abell" wrote in message
...
NG list trimmed to security_admin

Have you yet tried importing the key that was saved into
an account ? When doing this, it will give you the option
to have it prompt you whenerver it is used, or to just do it.
You must select for it to just do it without prompting.
Account names like ME$ are usually the machine account
that represents the machine as a member in the domain.


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I haven't removed any account.
Isn't the "ME$(ME$@workgroup)" a user account? I used not the

cipher,
but
"Encryption Details for" the file window in "Advanced Attributes" of

the
file window. I saved a Private key to a .pfx file before I was

joined
the
domain and my computer was renamed by the domain administrators.
"Roger Abell" wrote in message
...
You may own the machine and the files may be yours,
but if it is encrypted and you cannot prove to the system
that you are supposed to be able to decrypt it then it will
not let you.

The only way to prove that you are supposed to be able
to access the EFS encrypted file is to use an account that
has loaded into it the decryption key that corresponds to
the certificate that was used to encrypt the file.

When you renamed the machine, apparently starting down
the road of denied access, something seems to have removed
that capability. When you used cipher to look at the file it
said that there was no user account allowed to decrypt it,
instead indicating the machine was allowed to decrypt it.
That, assuming you have reported accurately what you saw,
is something with which I am unfamiliar, either as to why it
got that way or how to get out of that situation.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
This is my file. I'm the only computer owner.
"Roger Abell" wrote in message
...
code 5 is probably access failure
in this case since you do not have EFS capability to decrypt
you are not allowed to modify who can decrypt

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I tried to add myself and/or another user to "Users Who Can
Transparently
Access this File" and got an error
"ERSADU
Error in adding new user(s). Error code 5."
"Roger Abell" wrote in message
...
When you look at the file's properties Security dialog
is anything checked for any group in the Deny column ?
You must highlight each group listed one at a time and
then look at what is Granted/Denied.
An account that is only in Administrators group is
actually also in other things to which there can be
NTFS Grants/Denies, like Authenticated Users,
Network, Interactive, Everyone. . . .
Not having EFS authorization appears as if it is a
NTFS permissions denial. You should use the cipher
commandline utility to examine the thumbprint info of
the file to see what accounts are allowed to decrypt it.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
How to become sure that there is no Deny for any group.

The
file
is
EFS
protected. But I can open other EFS protected files.
"Roger Abell" wrote in message
...
This means that you have full control and it is

inherited
from
some higher directory.
Are you sure that there is no Deny for some group, and

if
there is make sure your account is not a member of the
group.
Deny overrides a Grant.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I'm the Owner of the file and have full access, but

the
"Effective
permissions" are all checked and grayed for me.
"Kelly" wrote in message
...
Without knowing more, see if this helps:

EXE and LNK Fix for Windows XP - Line 12
http://www.kellys-korner-xp.com/xp_tweaks.htm

To use the Regedit: Save the REG File to your

hard
disk.
Double
click
it
and answer yes to the import prompt. REG files can

be
viewed
in
Notepad
by
right clicking on the file and selecting Edit.

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Top 10 Frequently Asked Questions and Answers
http://www.kellys-korner-xp.com/top10faqs.htm


"Dmitriy Kopnichev" wrote in

message
...
Hello
I get "Windows cannot access the specified

device,
path,
or
file.
You
may
not have appropriate permissions to access the

item."
when
I
double-click
a
file. I'm the only owner of the computer. How to

get
full
access
to
all
contents?





























  #48  
Old December 21st 03, 12:28 AM
Dmitriy Kopnichev
external usenet poster
 
Posts: n/a
Default How to get full access to all contents?

I became a member of the workgroup "WORKGROUP", renamed my computer to "ME",
scheduled a cmd prompt to open, tried to decrypt the file in the cmd prompt
and got the "Access denied" response.
"Roger Abell" wrote in message
...
While logged in as an admin schedule a cmd prompt
to open in a couole minutes using task scheduler.
When the cmd prompt opens, it is running as System
(which is the local identity known to the domain
as machinename$).
There is no way I know of to actually log in as that
account, as you do not know the password.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
Importing the saved key didn't help. How to logon to the
"ME$(ME$@workgroup)" account?
"Roger Abell" wrote in message
...
NG list trimmed to security_admin

Have you yet tried importing the key that was saved into
an account ? When doing this, it will give you the option
to have it prompt you whenerver it is used, or to just do it.
You must select for it to just do it without prompting.
Account names like ME$ are usually the machine account
that represents the machine as a member in the domain.


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I haven't removed any account.
Isn't the "ME$(ME$@workgroup)" a user account? I used not the

cipher,
but
"Encryption Details for" the file window in "Advanced Attributes" of

the
file window. I saved a Private key to a .pfx file before I was

joined
the
domain and my computer was renamed by the domain administrators.
"Roger Abell" wrote in message
...
You may own the machine and the files may be yours,
but if it is encrypted and you cannot prove to the system
that you are supposed to be able to decrypt it then it will
not let you.

The only way to prove that you are supposed to be able
to access the EFS encrypted file is to use an account that
has loaded into it the decryption key that corresponds to
the certificate that was used to encrypt the file.

When you renamed the machine, apparently starting down
the road of denied access, something seems to have removed
that capability. When you used cipher to look at the file it
said that there was no user account allowed to decrypt it,
instead indicating the machine was allowed to decrypt it.
That, assuming you have reported accurately what you saw,
is something with which I am unfamiliar, either as to why it
got that way or how to get out of that situation.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
This is my file. I'm the only computer owner.
"Roger Abell" wrote in message
...
code 5 is probably access failure
in this case since you do not have EFS capability to decrypt
you are not allowed to modify who can decrypt

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I tried to add myself and/or another user to "Users Who Can
Transparently
Access this File" and got an error
"ERSADU
Error in adding new user(s). Error code 5."
"Roger Abell" wrote in message
...
When you look at the file's properties Security dialog
is anything checked for any group in the Deny column ?
You must highlight each group listed one at a time and
then look at what is Granted/Denied.
An account that is only in Administrators group is
actually also in other things to which there can be
NTFS Grants/Denies, like Authenticated Users,
Network, Interactive, Everyone. . . .
Not having EFS authorization appears as if it is a
NTFS permissions denial. You should use the cipher
commandline utility to examine the thumbprint info of
the file to see what accounts are allowed to decrypt it.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
How to become sure that there is no Deny for any group.

The
file
is
EFS
protected. But I can open other EFS protected files.
"Roger Abell" wrote in message
...
This means that you have full control and it is

inherited
from
some higher directory.
Are you sure that there is no Deny for some group, and

if
there is make sure your account is not a member of the
group.
Deny overrides a Grant.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
I'm the Owner of the file and have full access, but

the
"Effective
permissions" are all checked and grayed for me.
"Kelly" wrote in message
...
Without knowing more, see if this helps:

EXE and LNK Fix for Windows XP - Line 12
http://www.kellys-korner-xp.com/xp_tweaks.htm

To use the Regedit: Save the REG File to your

hard
disk.
Double
click
it
and answer yes to the import prompt. REG files can

be
viewed
in
Notepad
by
right clicking on the file and selecting Edit.

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Top 10 Frequently Asked Questions and Answers
http://www.kellys-korner-xp.com/top10faqs.htm


"Dmitriy Kopnichev" wrote in

message
...
Hello
I get "Windows cannot access the specified

device,
path,
or
file.
You
may
not have appropriate permissions to access the

item."
when
I
double-click
a
file. I'm the only owner of the computer. How to

get
full
access
to
all
contents?





























  #49  
Old December 21st 03, 12:35 AM
Dmitriy Kopnichev
external usenet poster
 
Posts: n/a
Default How to get full access to all contents?

The efsinfo.exe says:
Users who can decrypt:
NT AUTHORITY\SYSTEM (ME$(ME$@WORKGROUP))
What account can decrypt the file?
"Roger Abell" wrote in message
...
NGs trimmed to security_admin

But what does cipher say ? The same ?
For the file to have an associated recovery agent
of Administrator it seems you had to have configured
a recovery agent (in XP). Was this machine a clean
install or an upgrade from W2k ??

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
"Data Recovery Agents For This File As Defined By Recovery Policy" is
"Administrator" is written in "Encryption Details for" the file window

in
"Advanced Attributes" window.
"Roger Abell" wrote in message
...
I believe that we earlier resolved that it is not an
NTFS permissions issue.
Administrator is a recovery agent only in Windows 2000.
Windows XP has no recovery agent until one is configured
or the machine is joined to an Active Directory.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitriy Kopnichev" wrote in message
...
"the following people can decrypt an encrypted file.
Any user who was designated as a recovery agent" is written in the




http://support.microsoft.com/default...&Product=winxp
The user who was designated as a recovery agent is the

Administrator.
I
tried to decrypt the file under the Administrator account and got

the
same
error message "Error Applying Attributes
An error occurred applying attributes to the file:
Path:\Filename
Access is denied"
"Michael Solomon (MS-MVP Windows Shell/User)"

wrote
in
message ...
I don't know if you've seen this or if it will help but you might

want
to
have a look at the following Knowledge Base Article:





http://support.microsoft.com/default...&Product=winxp

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"Dmitriy Kopnichev" wrote in message
...
The fixes didn't help.
"Kelly" wrote in message
...
Without knowing more, see if this helps:

EXE and LNK Fix for Windows XP - Line 12
http://www.kellys-korner-xp.com/xp_tweaks.htm

To use the Regedit: Save the REG File to your hard disk.

Double
click
it
and answer yes to the import prompt. REG files can be viewed

in
Notepad
by
right clicking on the file and selecting Edit.

--
All the Best,
Kelly

MS-MVP Win98/XP
[AE-Windows® XP]

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Top 10 Frequently Asked Questions and Answers
http://www.kellys-korner-xp.com/top10faqs.htm


"Dmitriy Kopnichev" wrote in message
...
Hello
I get "Windows cannot access the specified device, path, or

file.
You
may
not have appropriate permissions to access the item." when I
double-click
a
file. I'm the only owner of the computer. How to get full

access
to
all
contents?

















 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 01:50 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.