If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#46
|
|||
|
|||
How to get full access to all contents?
Should I rename my computer to ME? Will I retain access to domain resources?
"Roger Abell" wrote in message ... While logged in as an admin schedule a cmd prompt to open in a couole minutes using task scheduler. When the cmd prompt opens, it is running as System (which is the local identity known to the domain as machinename$). There is no way I know of to actually log in as that account, as you do not know the password. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... Importing the saved key didn't help. How to logon to the "ME$(ME$@workgroup)" account? "Roger Abell" wrote in message ... NG list trimmed to security_admin Have you yet tried importing the key that was saved into an account ? When doing this, it will give you the option to have it prompt you whenerver it is used, or to just do it. You must select for it to just do it without prompting. Account names like ME$ are usually the machine account that represents the machine as a member in the domain. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I haven't removed any account. Isn't the "ME$(ME$@workgroup)" a user account? I used not the cipher, but "Encryption Details for" the file window in "Advanced Attributes" of the file window. I saved a Private key to a .pfx file before I was joined the domain and my computer was renamed by the domain administrators. "Roger Abell" wrote in message ... You may own the machine and the files may be yours, but if it is encrypted and you cannot prove to the system that you are supposed to be able to decrypt it then it will not let you. The only way to prove that you are supposed to be able to access the EFS encrypted file is to use an account that has loaded into it the decryption key that corresponds to the certificate that was used to encrypt the file. When you renamed the machine, apparently starting down the road of denied access, something seems to have removed that capability. When you used cipher to look at the file it said that there was no user account allowed to decrypt it, instead indicating the machine was allowed to decrypt it. That, assuming you have reported accurately what you saw, is something with which I am unfamiliar, either as to why it got that way or how to get out of that situation. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... This is my file. I'm the only computer owner. "Roger Abell" wrote in message ... code 5 is probably access failure in this case since you do not have EFS capability to decrypt you are not allowed to modify who can decrypt -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I tried to add myself and/or another user to "Users Who Can Transparently Access this File" and got an error "ERSADU Error in adding new user(s). Error code 5." "Roger Abell" wrote in message ... When you look at the file's properties Security dialog is anything checked for any group in the Deny column ? You must highlight each group listed one at a time and then look at what is Granted/Denied. An account that is only in Administrators group is actually also in other things to which there can be NTFS Grants/Denies, like Authenticated Users, Network, Interactive, Everyone. . . . Not having EFS authorization appears as if it is a NTFS permissions denial. You should use the cipher commandline utility to examine the thumbprint info of the file to see what accounts are allowed to decrypt it. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... How to become sure that there is no Deny for any group. The file is EFS protected. But I can open other EFS protected files. "Roger Abell" wrote in message ... This means that you have full control and it is inherited from some higher directory. Are you sure that there is no Deny for some group, and if there is make sure your account is not a member of the group. Deny overrides a Grant. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I'm the Owner of the file and have full access, but the "Effective permissions" are all checked and grayed for me. "Kelly" wrote in message ... Without knowing more, see if this helps: EXE and LNK Fix for Windows XP - Line 12 http://www.kellys-korner-xp.com/xp_tweaks.htm To use the Regedit: Save the REG File to your hard disk. Double click it and answer yes to the import prompt. REG files can be viewed in Notepad by right clicking on the file and selecting Edit. -- All the Best, Kelly MS-MVP Win98/XP [AE-Windows® XP] Troubleshooting Windows XP http://www.kellys-korner-xp.com Top 10 Frequently Asked Questions and Answers http://www.kellys-korner-xp.com/top10faqs.htm "Dmitriy Kopnichev" wrote in message ... Hello I get "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item." when I double-click a file. I'm the only owner of the computer. How to get full access to all contents? |
Ads |
#47
|
|||
|
|||
How to get full access to all contents?
"Computer name changes
The following error occurred attempting to rename the computer to "ME": Multiple connection to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource." I haven't used more than one user name. I have only one domain user name. How to disconnect all previous connections to the server or shared resource? Should I rename my computer to "ME" and become a member of "Workgroup" instead of our domain? "Roger Abell" wrote in message ... While logged in as an admin schedule a cmd prompt to open in a couole minutes using task scheduler. When the cmd prompt opens, it is running as System (which is the local identity known to the domain as machinename$). There is no way I know of to actually log in as that account, as you do not know the password. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... Importing the saved key didn't help. How to logon to the "ME$(ME$@workgroup)" account? "Roger Abell" wrote in message ... NG list trimmed to security_admin Have you yet tried importing the key that was saved into an account ? When doing this, it will give you the option to have it prompt you whenerver it is used, or to just do it. You must select for it to just do it without prompting. Account names like ME$ are usually the machine account that represents the machine as a member in the domain. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I haven't removed any account. Isn't the "ME$(ME$@workgroup)" a user account? I used not the cipher, but "Encryption Details for" the file window in "Advanced Attributes" of the file window. I saved a Private key to a .pfx file before I was joined the domain and my computer was renamed by the domain administrators. "Roger Abell" wrote in message ... You may own the machine and the files may be yours, but if it is encrypted and you cannot prove to the system that you are supposed to be able to decrypt it then it will not let you. The only way to prove that you are supposed to be able to access the EFS encrypted file is to use an account that has loaded into it the decryption key that corresponds to the certificate that was used to encrypt the file. When you renamed the machine, apparently starting down the road of denied access, something seems to have removed that capability. When you used cipher to look at the file it said that there was no user account allowed to decrypt it, instead indicating the machine was allowed to decrypt it. That, assuming you have reported accurately what you saw, is something with which I am unfamiliar, either as to why it got that way or how to get out of that situation. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... This is my file. I'm the only computer owner. "Roger Abell" wrote in message ... code 5 is probably access failure in this case since you do not have EFS capability to decrypt you are not allowed to modify who can decrypt -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I tried to add myself and/or another user to "Users Who Can Transparently Access this File" and got an error "ERSADU Error in adding new user(s). Error code 5." "Roger Abell" wrote in message ... When you look at the file's properties Security dialog is anything checked for any group in the Deny column ? You must highlight each group listed one at a time and then look at what is Granted/Denied. An account that is only in Administrators group is actually also in other things to which there can be NTFS Grants/Denies, like Authenticated Users, Network, Interactive, Everyone. . . . Not having EFS authorization appears as if it is a NTFS permissions denial. You should use the cipher commandline utility to examine the thumbprint info of the file to see what accounts are allowed to decrypt it. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... How to become sure that there is no Deny for any group. The file is EFS protected. But I can open other EFS protected files. "Roger Abell" wrote in message ... This means that you have full control and it is inherited from some higher directory. Are you sure that there is no Deny for some group, and if there is make sure your account is not a member of the group. Deny overrides a Grant. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I'm the Owner of the file and have full access, but the "Effective permissions" are all checked and grayed for me. "Kelly" wrote in message ... Without knowing more, see if this helps: EXE and LNK Fix for Windows XP - Line 12 http://www.kellys-korner-xp.com/xp_tweaks.htm To use the Regedit: Save the REG File to your hard disk. Double click it and answer yes to the import prompt. REG files can be viewed in Notepad by right clicking on the file and selecting Edit. -- All the Best, Kelly MS-MVP Win98/XP [AE-Windows® XP] Troubleshooting Windows XP http://www.kellys-korner-xp.com Top 10 Frequently Asked Questions and Answers http://www.kellys-korner-xp.com/top10faqs.htm "Dmitriy Kopnichev" wrote in message ... Hello I get "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item." when I double-click a file. I'm the only owner of the computer. How to get full access to all contents? |
#48
|
|||
|
|||
How to get full access to all contents?
I became a member of the workgroup "WORKGROUP", renamed my computer to "ME",
scheduled a cmd prompt to open, tried to decrypt the file in the cmd prompt and got the "Access denied" response. "Roger Abell" wrote in message ... While logged in as an admin schedule a cmd prompt to open in a couole minutes using task scheduler. When the cmd prompt opens, it is running as System (which is the local identity known to the domain as machinename$). There is no way I know of to actually log in as that account, as you do not know the password. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... Importing the saved key didn't help. How to logon to the "ME$(ME$@workgroup)" account? "Roger Abell" wrote in message ... NG list trimmed to security_admin Have you yet tried importing the key that was saved into an account ? When doing this, it will give you the option to have it prompt you whenerver it is used, or to just do it. You must select for it to just do it without prompting. Account names like ME$ are usually the machine account that represents the machine as a member in the domain. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I haven't removed any account. Isn't the "ME$(ME$@workgroup)" a user account? I used not the cipher, but "Encryption Details for" the file window in "Advanced Attributes" of the file window. I saved a Private key to a .pfx file before I was joined the domain and my computer was renamed by the domain administrators. "Roger Abell" wrote in message ... You may own the machine and the files may be yours, but if it is encrypted and you cannot prove to the system that you are supposed to be able to decrypt it then it will not let you. The only way to prove that you are supposed to be able to access the EFS encrypted file is to use an account that has loaded into it the decryption key that corresponds to the certificate that was used to encrypt the file. When you renamed the machine, apparently starting down the road of denied access, something seems to have removed that capability. When you used cipher to look at the file it said that there was no user account allowed to decrypt it, instead indicating the machine was allowed to decrypt it. That, assuming you have reported accurately what you saw, is something with which I am unfamiliar, either as to why it got that way or how to get out of that situation. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... This is my file. I'm the only computer owner. "Roger Abell" wrote in message ... code 5 is probably access failure in this case since you do not have EFS capability to decrypt you are not allowed to modify who can decrypt -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I tried to add myself and/or another user to "Users Who Can Transparently Access this File" and got an error "ERSADU Error in adding new user(s). Error code 5." "Roger Abell" wrote in message ... When you look at the file's properties Security dialog is anything checked for any group in the Deny column ? You must highlight each group listed one at a time and then look at what is Granted/Denied. An account that is only in Administrators group is actually also in other things to which there can be NTFS Grants/Denies, like Authenticated Users, Network, Interactive, Everyone. . . . Not having EFS authorization appears as if it is a NTFS permissions denial. You should use the cipher commandline utility to examine the thumbprint info of the file to see what accounts are allowed to decrypt it. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... How to become sure that there is no Deny for any group. The file is EFS protected. But I can open other EFS protected files. "Roger Abell" wrote in message ... This means that you have full control and it is inherited from some higher directory. Are you sure that there is no Deny for some group, and if there is make sure your account is not a member of the group. Deny overrides a Grant. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... I'm the Owner of the file and have full access, but the "Effective permissions" are all checked and grayed for me. "Kelly" wrote in message ... Without knowing more, see if this helps: EXE and LNK Fix for Windows XP - Line 12 http://www.kellys-korner-xp.com/xp_tweaks.htm To use the Regedit: Save the REG File to your hard disk. Double click it and answer yes to the import prompt. REG files can be viewed in Notepad by right clicking on the file and selecting Edit. -- All the Best, Kelly MS-MVP Win98/XP [AE-Windows® XP] Troubleshooting Windows XP http://www.kellys-korner-xp.com Top 10 Frequently Asked Questions and Answers http://www.kellys-korner-xp.com/top10faqs.htm "Dmitriy Kopnichev" wrote in message ... Hello I get "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item." when I double-click a file. I'm the only owner of the computer. How to get full access to all contents? |
#49
|
|||
|
|||
How to get full access to all contents?
The efsinfo.exe says:
Users who can decrypt: NT AUTHORITY\SYSTEM (ME$(ME$@WORKGROUP)) What account can decrypt the file? "Roger Abell" wrote in message ... NGs trimmed to security_admin But what does cipher say ? The same ? For the file to have an associated recovery agent of Administrator it seems you had to have configured a recovery agent (in XP). Was this machine a clean install or an upgrade from W2k ?? -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... "Data Recovery Agents For This File As Defined By Recovery Policy" is "Administrator" is written in "Encryption Details for" the file window in "Advanced Attributes" window. "Roger Abell" wrote in message ... I believe that we earlier resolved that it is not an NTFS permissions issue. Administrator is a recovery agent only in Windows 2000. Windows XP has no recovery agent until one is configured or the machine is joined to an Active Directory. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dmitriy Kopnichev" wrote in message ... "the following people can decrypt an encrypted file. Any user who was designated as a recovery agent" is written in the http://support.microsoft.com/default...&Product=winxp The user who was designated as a recovery agent is the Administrator. I tried to decrypt the file under the Administrator account and got the same error message "Error Applying Attributes An error occurred applying attributes to the file: Path:\Filename Access is denied" "Michael Solomon (MS-MVP Windows Shell/User)" wrote in message ... I don't know if you've seen this or if it will help but you might want to have a look at the following Knowledge Base Article: http://support.microsoft.com/default...&Product=winxp -- Michael Solomon MS-MVP Windows Shell/User Backup is a PC User's Best Friend DTS-L.Org: http://www.dts-l.org/ "Dmitriy Kopnichev" wrote in message ... The fixes didn't help. "Kelly" wrote in message ... Without knowing more, see if this helps: EXE and LNK Fix for Windows XP - Line 12 http://www.kellys-korner-xp.com/xp_tweaks.htm To use the Regedit: Save the REG File to your hard disk. Double click it and answer yes to the import prompt. REG files can be viewed in Notepad by right clicking on the file and selecting Edit. -- All the Best, Kelly MS-MVP Win98/XP [AE-Windows® XP] Troubleshooting Windows XP http://www.kellys-korner-xp.com Top 10 Frequently Asked Questions and Answers http://www.kellys-korner-xp.com/top10faqs.htm "Dmitriy Kopnichev" wrote in message ... Hello I get "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item." when I double-click a file. I'm the only owner of the computer. How to get full access to all contents? |
Thread Tools | |
Display Modes | |
|
|