Select the product you need help with

Unable to Recover Encrypted Files After the Domain Controller Is Demoted

Article ID: 276239 - View products that this article applies to.

This article was previously published under Q276239

SYMPTOMS

When a Windows-based computer that is a domain controller is demoted to a member server by using the Active Directory Installation wizard (Dcpromo.exe), you are unable to recover Encrypting File System (EFS)-encrypted documents.

Back to the top | Give Feedback

CAUSE

This issue can occur because the private key for the recovery agent for the local EFS-encrypted documents is lost during the demotion when the Security Accounts Manager (SAM) is recreated on that computer. You are unable to recover encrypted documents on this computer unless the recovery agent is changed to an existing domain account before encryption.

Back to the top | Give Feedback

RESOLUTION

To resolve this issue, use either of the following methods:

If you have previously exported the recovery agent's certificate, including the private key, reimport it.

-or-
Follow these steps:
1. Decrypt all documents on the local computer. If there are files that were encrypted by a different user account, they can only be decrypted when you log on as that user.
2. Log on as an administrator.
3. Start the Certificates snap-in, and then request a new personal certificate that is suitable to use with EFS.
4. Start the Local Security Policy snap-in, remove the administrator, and then reassign it as the system recovery agent.
5. Reencrypt all of the documents.

Back to the top | Give Feedback