Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)1223 359900
E: sales@precedence.co.uk
Linton-EFS

Wiki Home

Tools

Jump to CustomersLinton > Linton > EFS

EFS File Encryption

https://technet.microsoft.com/en-us/library/bb457116.aspx

"EFS must impersonate the user to obtain access to the necessary public or private key. This requires the following:

  • The computer must be a domain member in a domain that uses Kerberos authentication because impersonation relies on Kerberos authentication and delegation.
  • The computer must be trusted for delegation.
  • The user must be logged on with a domain account that can be delegated.

Note: Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with EFS."

If not doing it remotely (i.e. you import the recovery agent key into the personal certificate store) it's possible to decrypt the files.

The recovery agent keys (public and private as PFX) have been exported to the itsupport share, the password to import is in the Viewpoint database.

Command-line recursive decryption

cipher /D /S:E:\Staff\folder
© Copyright Precedence Technologies 1999-2025
Page last modified on January 03, 2018, at 09:36 AM by sborrill