Microsoft KB Archive/290260

= EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset =

Article ID: 290260

Article Last Modified on 3/27/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition

-



This article was previously published under Q290260





SYMPTOMS
After you reset the password of an account on a Windows XP-based computer that is joined to a workgroup, you may lose access to the user's:
 * Web page credentials.
 * File share credentials.
 * EFS-encrypted files.
 * Certificates with private keys (SIGNED/ENCRYPTed e-mail).



CAUSE
This issue can occur if the password was forcefully reset by an administrator or owner, instead of being changed by the user.



RESOLUTION
NOTE: For any of the following resolutions to work, the user's original account must still exist, and the user's profile must be present and unchanged since the user last had access to the data.

To recover all of the data, you must have one of the following:
 * The original password. This is the password with which the user last logged on successfully and was able to access their credentials and files.
 * Password Recovery Disk (PRD). This password recovery disk must have been created while the user had access to the files.

To Completely Recover By Using the Original Password

 * 1) Log on to the computer as the user with the current password.
 * 2) Click Start, and then click Control Panel.
 * 3) In Control Panel, click User Accounts.
 * 4) Click your user name.
 * 5) Click Change my password.
 * 6) Follow the instructions to change the password back to your original password.
 * 7) Restart your computer.

To Completely Recover By Using the Password Recovery Disk

 * 1) If you are logged on, log off of the computer.
 * 2) Attempt to log on as the user, and deliberately type an incorrect password.
 * 3) Click use your password reset disk.
 * 4) Follow the instructions in the wizard.
 * 5) Log on, and note that you have access to your files.

Recovering Access to Encrypted EFS Data
If you have encrypted some of your files by using the Encrypting File System (EFS), you have additional options to recover access to those encrypted files. The following provisions apply only to EFS encrypted files, and will not recover access to saved credentials or certificates.

If you have previously exported the user's EFS private key from the user's account, you may import the key back into the account and recover access to the encrypted files.

If you did not export the private key and you have defined a Data Recovery Agent (DRA) prior to encrypting the files, you may regain access to EFS files as the Data Recovery Agent. For additional information about how to recover data in this case, click the article number below to view the article in the Microsoft Knowledge Base:

255742 Methods for Recovering Encrypted Data Files

If you do not have the required items or information specified for the preceding recovery solutions, the data is permanently encrypted, and cannot be recovered.



STATUS
This behavior is by design.



MORE INFORMATION
The behavior that is described in this article is a security measure taken to protect the security of the user's private information. A malicious administrator that can reset a user's password and thereby gain access to the user's account cannot access encrypted files or authentication materials without the user's knowledge or permissions.

Before being allowed to reset a password, an administrator or owner of the computer is prompted with the following messages:


 * Resetting this password might cause irreversible loss of information for this user account. For security reasons, Windows protects certain information by making it impossible to access if the users password is reset.

The data loss will occur the next time the user logs off.

You should use this command only if a user has forgotten his or her password and does not have a password reset disk. If this user has created a password reset disk, then he or she should use that disk to set the password.

If the user knows the password and wants to change it, he or she should log in, then use the User Accounts in Control Panel to change the password.
 * You are Resetting the password for user name. If you do this, user name will lose all EFS-encrypted files, personal certificate, and stored passwords for Web sites or network resources.

To avoid losing data in the future, ask user2 to make a password reset floppy disk.

To avoid data loss because of a password reset in the future, create a password recovery disk to reset the password and have users change their own password while logged in.

To create a password recovery disk:
 * 1) Click Start, and then click Control Panel.
 * 2) Click User Accounts.
 * 3) Click your user name.
 * 4) Click Prevent a forgotten password, and then follow the instructions in the wizard.
 * 5) Store the disk in a safe location.

NOTE: The Prevent a forgotten password button and the password recovery disk functionality are not available on computers that are joined to a domain.

EFS Related Information
241201 HOW TO: Back Up Your Encrypting File System Private Key in Windows 2000

Additional query words: gracefully data recovery agent dra

Keywords: kbenv kberrmsg kbprb kbtool KB290260

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.