0

There are many articles out there stating that a user's encrypted files are lost after an administrator resets the password of that user.

I tried:

  • Logged on as user (Domain User) with password 54321
  • created a file named test.txt on the desktop
  • encrypted the file using EFS (The certificate was automatically generated)
  • logged off and logged on as Administrator.
  • opened Active Directory Users and Computers, reset the password of user to 12345
  • logged off and logged on as user
  • tried to open the file test.txt and it could be opened, which is not exactly what I expected

Is this expected behaviour? According to this post, user should not be able to read their encrypted files anymore.

Can anyone explain to me why the post and the actual behavior on my system differ?

schroeder
  • 123,438
  • 55
  • 284
  • 319
TomS
  • 101
  • 1
  • I would repeat the test but after log off the user perform a reboot to ensure everything loaded from that user is removed from RAM. Also make sure for pwd reset not to use the admin on the first DC that has access to the EFS recovery agent key. – Robert Sep 24 '21 at 19:11
  • Did all that. Admin w/o DRK reset pasword of user using RSAT tools,on machine where that user never logged on. Admin logs on as that user (now knowing its password), admin can read encrypted file. – TomS Sep 27 '21 at 11:09

0 Answers0