it was using EFS, for each of the users who had encrypted their files, there was a logon profile on the upgraded server . I dont know how this got their, but anyway if i gave them temporary logon rights to the server itself they could then decrypt the files as that user. It was something to do with them having a key??? (i dont know much about Encryption) under
%Appdata%\Roaming\Microsoft\SystemCertificates\My\Certificates (i think) which obviously didn't exist on their new profiles
thanks for the replies