Copying encrypted Files to Server

[PMatmlr]

Cannot copy encrypted files from Windows 2000 Professional systems to a Windows 2000 or 2003 server.
Receiving error message "cannot copy <filename>: Access is denied. The source file may be in use.".
The file owner is the owner of the share on the server, or has full access to the share.
Works fine copying to NT 4.0 or from an XP client.

Anyone have any ideas?
Thanks in advance!

 

[bcastner]

Odd.

Could you clairfy the above "The file owner is the owner of the share on the server, or has full access to the share."

This user is the CREATOR/Owner of the file in question. (He or she cannot be the "Owner" of the file share), albeit they may have full access.

. after that clarification two more questions:

. was the EFS file created under XP, or under Win2k? They are not the same thing
. If a file copy to NT 4 server occured, the file is no longer encrypted. If a file created on XP is copied with XP I expect no issues. If a file created on XP is copied using Win2k it is not altogether surprising that the copy fails, I believe.

 

[PMatmlr]

The file owner has full access to the destination share on the server. (Actually I'm testing, and I'm full admin on all systems and servers).

It doesn't matter where the file was created. We can't copy files that were created on the client, nor can we copy files that were created elsewhere and are now on the client in the encrypted area. It doesn't matter what version of anything (Windows, Office, WordPerfect, Adobe) the file was created, manipulated or stored in.

Once we have a file in an encrypted area of a Windows 2000 machine, we cannot copy it to a Windows 2000 or 2003 server.

Nuts - huh?

Yes - when a copy does succeed, the encryption is removed - as with a copy from 2k to NT, or from XP to any version of server.

 

[bcastner]

Domain Administrators are not the default recovery agent, and do not have the certificates to de-crypt the files.

You will need to logon as the creater/owner user, and either then do the copy, or export the recovery certificates and specify yourself as the recovery agent. You would then logon as yourself and import the certificate. You will then be able to perform the copy.

 

[PMatmlr]

Not sure what you mean with regard to the Domain Admins, but that is not who is logged on and owns the files. The user is who is logged on. They are an administrator of the client machine. I am not familiar with recovery certificates or agents either.

No one can copy a file from an encrypted Windows 2000 client to a Windows 2000 or 2003 server.

 

[bcastner]

Make this registry change:

http://support.microsoft.com/default.aspx?scid=kb;en-us;302093&sd=tech

EFS, recovery agents and certificate stores:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

http://www.msdn.microsoft.com/libra...ecure/html/WinNETSrvr-EncryptedFileSystem.asp

 

[PMatmlr]

Thanks bcastner. However - I checked all 3 of my W2K3 servers, and you'll never believe that not one had that key in the registry.

Any other ideas?

Do you have machines you can simulate this on?

 

[bcastner]

And your Win2k servers?

The important issue may not be the registry entry per se. It was the note: "Note that under typical circumstances (when this registry change has not been made), you cannot copy EFS encrypted files to another Windows 2000-based computer that has not been trusted for delegation. You receive the error message "Access is denied. The source file may be in use." This behavior is by design."

Review your Trust Relationships.

 

[PMatmlr]

I appologize - I just not saw that section.
I tried to set that for my server in the domain controller's AD, but do not have permission. I've asked the AD gods to set it for me.

I'll let you know if that is it.

Thanks a ton for all of your help with this. I truely appreciate it.

 

[bcastner]

EFS is confusing.

It does not help that they changed the encryption engine mid-stream for XP and made it incompatible with Win2k EFS:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=tech