Share via


EFS failures after upgrade to 2008

FYI .. ( havent had time to finish the kerb posts.. but here is an important FYI )

https://www.microsoft.com/downloads/details.aspx?FamilyID=fd786261-d278-40db-baf8-70f42d786223&displaylang=en

Overview

When a user encrypts a file stored on a Windows file server the actual encryption of the file occurs on the server. To accomplish this, a special profile is created on the server in order to create and store an EFS (Encrypting File System) encryption key on behalf of the user. Thereafter, each time the user accesses their encrypted files on the server, this special profile is loaded on behalf of the user, and the previously created encryption key is used.
Issue: These special user profiles are not migrated when a Windows file server is upgraded to Windows Server 2008. When a user attempts to access their encrypted files, the upgraded file server does not see a special profile for that user and subsequently invokes the creation of a new special profile, with new EFS encryption keys. These new keys are now different than the original keys for the user, and therefore the decryption of previously encrypted files fails.

Go download the tool which will update them properly.

The EFS Recovery Tool scans the Profiles directory on the upgraded server for unregistered accounts that have EFS keys. If any accounts are found, the tool creates new profiles and copies the EFS keys to these new profiles. The tool then archives the unregistered profiles into the ~efs.000 file.

How to run the EFS Recovery Tool

You must run this tool from an elevated command prompt on the server. There are two switches that you can run together with EfsUpgRecoverAccts.exe:


/D
Detect only. Scan for unregistered profiles to recover, but do not perform any recovery.


/R
Perform recovery.

spat