How to get full access to all contents?

[Dmitriy Kopnichev]

The only user Name in "Users Who Can Transparently Access This File" in
"Encryption Details for" the file is "ME$(ME$@workgroup)". The "Recovery
Agent Name" is Administrator. "ME" was my computer name before renaming. The
renaming was made for joining the domain. "Workgroup" was my workgroup name.
There was not a Local user with "ME" name before joining the domain. The
error message is the same when I try to open the file under the Local
"Administrator" account. Importing a private key saved before joining the
domain haven't helped.

 

[Dmitriy Kopnichev]

I encrypted the containing folder under local account "2" before renaming
the computer. The file was encrypted when was placed in the folder under
local account "2" after renaming. The Private key was saved under local
account "2" too.

 

[Ryan]

seems I am having the same problem, so are many people. They say that with
Encryption, if you don't have the right certificate, you are screwed. But
there must be a way, even if we get a hacker/cracker to do it???
Please e-mail me if you solve the problem!

Ryan
(e-mail address removed)

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

I don't know if you've seen this or if it will help but you might want to
have a look at the following Knowledge Base Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308993&Product=winxp

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

 

[Dmitriy Kopnichev]

Ok

seems I am having the same problem, so are many people. They say that with
Encryption, if you don't have the right certificate, you are screwed. But
there must be a way, even if we get a hacker/cracker to do it???
Please e-mail me if you solve the problem!

Ryan
(e-mail address removed)

 

[Dmitriy Kopnichev]

This is my file. I'm the only computer owner.

code 5 is probably access failure
in this case since you do not have EFS capability to decrypt
you are not allowed to modify who can decrypt

 

[Dmitriy Kopnichev]

"the following people can decrypt an encrypted file.
Any user who was designated as a recovery agent" is written in the
http://support.microsoft.com/default.aspx?scid=kb;en-us;308993&Product=winxp
The user who was designated as a recovery agent is the Administrator. I
tried to decrypt the file under the Administrator account and got the same
error message "Error Applying Attributes
An error occurred applying attributes to the file:
Path:\Filename
Access is denied"

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

This sounds like a file ownership issue related to NTFS. Note, file
ownership and permissions supersede administrator rights. How you resolve
it depends upon which version of XP you are running.



XP-Home



Unfortunately, XP Home using NTFS is essentially hard wired for "Simple File
Sharing" at system level.

However, you can set XP Home permissions in Safe Mode. Reboot, and start
hitting F8, a menu should eventually appear and one of the
options is Safe Mode. Select it. Note, it will ask for the administrator's
password. This is not your administrator account, rather it is the
machine's administrator account for which users are asked to create a
password during setup.

If you created no such password, when requested, leave blank and press
enter.

Open Explorer, go to Tools and Folder Options, on the view tab, scroll to
the bottom of the list, if it shows "Enable Simple File Sharing" deselect it
and click apply and ok. If it shows nothing or won't let you make a change,
move on to the next step.

Navigate to the files, right click, select properties, go to the Security
tab, click advanced, go to the Owner tab and select the user that was logged
on when you were refused permission to access the files. Click apply and
ok. Close the properties box, reopen it, click add and type in the name of
the user you just enabled. If you wish to set ownership for everything in
the folder, at the bottom of the Owner tab is the following selection:
"Replace owner on subcontainers and objects," select it as well.

Once complete, you should be able to do what you wish with these files when
you log back on as that user.



XP-Pro



If you have XP Pro, temporarily change the limited account to
administrative. First, go to Windows Explorer, go to Tools, select Folder
Options, go to the View tab and be sure "Use Simple File Sharing" is not
selected. If it is, deselect it and click apply and ok.



If you wish everything in a specific folder to be accessible to a user,
right click the folder, select properties, go to the Security tab, click
Advanced, go to the Owner tab,
select the user you wish to have access, at the bottom of the box, you
should see a check box for "Replace owner on subcontainers and objects,"
place a check in the box and click apply and ok.

The user should now be able to perform necessary functions on files in the
folder even as a limited account. If not, make it an admin account again,
right click the folder, select Properties, go to the Security tab and be
sure the user is listed in the user list. If not, click add and type the
user name in the appropriate box, be sure the user has all the necessary
permissions checked in the permission list below the user list, click apply
and ok.

That should do it and allow whatever access you desire for that folder even
in a limited account.






--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

 

[Roger Abell]

I believe that we earlier resolved that it is not an
NTFS permissions issue.
Administrator is a recovery agent only in Windows 2000.
Windows XP has no recovery agent until one is configured
or the machine is joined to an Active Directory.

 

[Roger Abell]

You may own the machine and the files may be yours,
but if it is encrypted and you cannot prove to the system
that you are supposed to be able to decrypt it then it will
not let you.

The only way to prove that you are supposed to be able
to access the EFS encrypted file is to use an account that
has loaded into it the decryption key that corresponds to
the certificate that was used to encrypt the file.

When you renamed the machine, apparently starting down
the road of denied access, something seems to have removed
that capability. When you used cipher to look at the file it
said that there was no user account allowed to decrypt it,
instead indicating the machine was allowed to decrypt it.
That, assuming you have reported accurately what you saw,
is something with which I am unfamiliar, either as to why it
got that way or how to get out of that situation.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

I'm inclined to agree, Roger. Sometimes, however, when what is supposed to
work doesn't, it's worth a shot to try something that might be a cause but
isn't directly indicated. I didn't feel there was any harm in exploring the
option though I'm not sure if he can even take ownership of encrypted files.

That said, something he had said about changing the computer or workgroup
name, sorry I don't recall, triggered me to reconsider the possibility of a
file ownership issue.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

 

[Dmitriy Kopnichev]

"Data Recovery Agents For This File As Defined By Recovery Policy" is
"Administrator" is written in "Encryption Details for" the file window in
"Advanced Attributes" window.

 

[Dmitriy Kopnichev]

I haven't removed any account.
Isn't the "ME$(ME$@workgroup)" a user account? I used not the cipher, but
"Encryption Details for" the file window in "Advanced Attributes" of the
file window. I saved a Private key to a .pfx file before I was joined the
domain and my computer was renamed by the domain administrators.

 

[Dmitriy Kopnichev]

My account isn't a limited account, but administrative.
"Use Simple File Sharing" is disabled when joining a domain.
My account has full control over the file.

 

[Dmitriy Kopnichev]

Will I retain access to needed network folders if I rename my computer back
to ME (and click "Workgroup" in "Computer name changes" window) in "System
Properties" window? This might help get access to the file.

 

[Roger Abell]

NG list trimmed to security_admin

Have you yet tried importing the key that was saved into
an account ? When doing this, it will give you the option
to have it prompt you whenerver it is used, or to just do it.
You must select for it to just do it without prompting.
Account names like ME$ are usually the machine account
that represents the machine as a member in the domain.

 

[Roger Abell]

Sure, I understand, but we already covered that ground
back toward the beginning of this (? he has started so many)
thread.

 

[Roger Abell]

NGs trimmed to security_admin

But what does cipher say ? The same ?
For the file to have an associated recovery agent
of Administrator it seems you had to have configured
a recovery agent (in XP). Was this machine a clean
install or an upgrade from W2k ??

 

[Dmitriy Kopnichev]

How to use cipher to know who are a "Data Recovery Agents" and a decrypter?
This machine was a clean install.

NGs trimmed to security_admin

But what does cipher say ? The same ?
For the file to have an associated recovery agent
of Administrator it seems you had to have configured
a recovery agent (in XP). Was this machine a clean
install or an upgrade from W2k ??

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

"Data Recovery Agents For This File As Defined By Recovery Policy" is
"Administrator" is written in "Encryption Details for" the file window in
"Advanced Attributes" window.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308993&Product=winxp Administrator.

I

tried to decrypt the file under the Administrator account and got

the
same

 

[Dmitriy Kopnichev]

Importing the saved key didn't help. How to logon to the
"ME$(ME$@workgroup)" account?