On a domain joined computer, can you encrypt a folder using EFS and then export your certificate/private key and then login as another user and import it to view the encrypted files? I have tried this and failed, but may be doing it wrong. Does it fail because the CN of the certificate is registered for only one user?
Any way to do this machine wide? Ie. Import into the machine's certificate store and allow all users to view this file?
There is no AD Certificate Authority on the Domain.
Thanks
Best Answer
After setting up a test VM environment, I determined the following.
To view EFS encrypted files, YOUR personal EFS store must contain the PRIVATE key of the certificate created by the user who encrypted the file, OR the private key of the Recovery Agent certificate.
You cannot import the private key into the machine's certificate store as this only gives the SYSTEM account access.
You can use the command
cipher /c filename.txtto determine who encrypted the file, and what the thumbprint of the certificate you will need to export the private key from.To retrieve the private key of the user, login as the user who encrypted and use
start->run->mmc->certificates->exportwith private key.To retrieve the private key of the Domain Recovery Agent, login to the domain controller and do the same.
start->run->MMC->certificates->personal-> find Domain Recovery Certificate -> export private key.Then take this .pfx file and import it on the machine in question, while logged in as the user you want access.
Just as a note, this was tested in a domain environment that does not have PKI/CA. With a PKI/CA things are probably a lot easier.
Hope this helps someone.