Access denied to EFS encrypted files after PC joins domain

Posted by mjmarsh on Server Fault See other posts from Server Fault or by mjmarsh
Published on 2013-01-15T19:44:19Z Indexed on 2014/05/28 21:34 UTC
Read the original article Hit count: 186

Filed under:
|
|

I'm experiencing strange behavior with Windows Encrypted File System:

  1. I have a machine that is in workgroup mode (not joined to a domain)
  2. I encrypt an entire directory structure on the machine (basically a folder and subfolders with data files for my application).
  3. My application writes and reads files from the encrypted file hierarchy as a local Windows user (let's call the account 'SecureUser'). This works fine
  4. I then join the PC to a domain (Let's call it 'TEST')
  5. Afterwards, processes running as the local 'SecureUser' account can't read the files it wrote originally when it was off the domain (What is also strange is that the files are listed as "read only" now and I cannot unset this flag via Windows Explorer or the command line, even though it looks like it succeeds)
  6. I then 'un-join' the PC from the domain and everything works again

Is there something about changing domain membership on a PC that changes the behavior of EFS so that previously encrypted files cannot be read, even by the originating user?

Thanks in advance

© Server Fault or respective owner

Related posts about Windows

Related posts about encryption