Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
You cannot remotely access encrypted files after you upgrade a Windows Server 2003 file server to Windows Server 2008
Article ID: 948690 - View products that this article applies to.
Consider the following scenario:
This issue does not occur if a user has interactively logged on to the file server before the upgrade.
This issue occurs because special user profiles are not migrated when a Windows file server is upgraded to Windows Server 2008. Therefore, when you try to access the encrypted files, the upgraded file server does not recognize the special profile. Then, the upgraded file server creates a new profile that has new EFS encryption keys. These new keys differ from the original keys. Therefore, you cannot access the previously encrypted files.
When a user encrypts a file that is stored on a Windows file server, the actual encryption of the file occurs on the file server. A special user profile is created on the Windows Server 2003-based file server. This special user profile is used to create and store your Encrypting File System (EFS) encryption keys. Afterward, every time that a user accesses the encrypted files on the file server, this special profile is loaded on behalf of the user. The previously created encryption keys are used.
To resolve this problem please obtain the Post Upgrade EFS Recovery Tool from the Microsoft Download Center.
Note The EFS recovery Tool is not required when Windows Server 2003-based computers that have EFS files are upgraded in-place to Windows Server 2008 R2.
The following file is available for download from the Microsoft Download Center:
Download the Post Upgrade EFS Recovery Tool 1.0 package now.
Collapse this imageExpand this image
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
(http://support.microsoft.com/kb/119591/ )How to obtain Microsoft support files from online services
The EFS Recovery Tool scans the Profiles directory on the upgraded server for unregistered accounts that have EFS keys. If any accounts are found, the tool creates new profiles and copies the EFS keys to these new profiles. The tool then archives the unregistered profiles into the ~efs.000 file.
How to run the EFS Recovery ToolYou must run this tool from an elevated command prompt on the server. There are two switches that you can run together with EfsUpgRecoverAccts.exe:
EfsUpgRecoverAccts /R > C:\Efsfix.logThe return code indicates the level of the issue that is encountered when you run the tool:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.