Charles May said:
Patrick,
Wouldn't the OP be able to access the encrypted files by setting the
password back to the original one?
No, this does not work, and is a common misconception.
EFS (Encrypting File System) does not rely solely on the password, but on
account credentials, which are built from several inputs. You will not
duplicate the credentials by resetting the password.
You have to export the credentials at the time that you invoke encryption,
back them up and store them safely. Or, designate a recovery agent.
This is not a forgotton password but one that has expired.
Unfortunately that isn't a relevant difference.
If you change the password from outside the account, and do not have the
account credentials backed up or have a designated recovery agent, you will
instantly and permanently lose access to the encrypted data.
I'm only asking because if a user has encrypted files and they cannot be
recovered by setting their password back to the original if/when it
expires, why would the OS allow you to set the Password Expires bit in the
User settings when using encrypted files or folders?
User Beware.
It's the user's responsibility to educate themselves about EFS before
invoking it. There aren't safeguards. There is risk.
What you would do for the expired password is to import the backed-up
credentials after resetting the password. The problem is that many people
skip that step.
MS did a great job of making it easy to get strong encryption, but did not
do such a great job of wrapping up details around it, such as requiring
credential backup.
It's quite common for people to post questions about EFS, and unfortunately,
there are seldom happy stories attached to those questions.
HTH
-pk