EFS Recovery Agent Cannot Export Private Keys

Article ID: 259732 - View products that this article applies to.
This article was previously published under Q259732
Expand all | Collapse all

SYMPTOMS

When you attempt to perform encrypted data recovery, the "Export Private Key" section of the Certificate Export Wizard is either skipped completely, or the Yes, export the private key option within the "Export Private Key" screen is inactive and cannot be selected. The No, do not export the private key option is the only valid selection. If the option to export the private key is inactive, the following error message is displayed:
Note: The associated private key cannot be found. Only the certificate can be exported.
Typically, the option to export the private key at the "Export Private Key" section of the Certificate Export Wizard is available.
Back to the top | Give Feedback

CAUSE

This behavior can occur if the Administrator profile was overwritten with another user's profile. Users that belong to the local Administrator group can copy a user profile over another user's profile. This is typically done to replicate profiles with minimal effort. If this is done to the local Administrator profile, the computer no longer recognizes the administrator as a valid EFS Recovery Agent.

You may also experience this behavior if you made the request of the certificate server not to issue exportable certificates. The only way around this is to request a new certificate if you already have one issued.

IMPORTANT: Do not delete the existing certificate until all of the data has been un-encrypted and then re-encrypted.

NOTE: The default EFS Recovery Agent of a stand-alone Windows 2000 Professional-based computer that is not a member of a domain is local Administrator.
Back to the top | Give Feedback

RESOLUTION

To restore the Recovery Agent's private key, use one of the following methods:
  • Restore the administrator's user profile from a backup that was made before the administrator's profile was overwritten.
  • Restore the data from a backup that you made before the data was encrypted using EFS.
You must extract the private keys from an EFS Recovery Agent whose profile is not overwritten. If this is a stand-alone computer, no other Recovery Agents may be available. If there is no other Recovery Agent available and the EFS private key is not backed up, the data is not recoverable.
Back to the top | Give Feedback

MORE INFORMATION

For additional information about EFS in Windows 2000, click the article numbers below to view the articles in the Microsoft Knowledge Base:
241201
(http://support.microsoft.com/kb/241201/EN-US/ )
HOW TO: Back Up Your Encrypting File System Private Key in Windows 2000
255742
(http://support.microsoft.com/kb/255742/EN-US/ )
Methods for Recovering Encrypted Data Files
223316
(http://support.microsoft.com/kb/223316/EN-US/ )
Best Practices for Encrypting File System
242296
(http://support.microsoft.com/kb/242296/EN-US/ )
How to Restore an EFS Private Key for Encrypted Data Recovery
Additional EFS-related information is available at the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx
(http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx)
Back to the top | Give Feedback

Properties

Article ID: 259732 - Last Review: October 31, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbenv kberrmsg kbprb KB259732
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top