You cannot remotely access encrypted files after you upgrade a Windows Server 2003 file server to Windows Server 2008
Consider the following scenario:
- You have a Windows Server 2003-based file server. Or, you have a prerelease Windows Server 2008-based file server.
- This file server hosts remotely encrypted files.
- You upgrade this file server to Windows Server 2008.
Access DeniedThis issue does not occur if a user has interactively logged on to the file server before the upgrade.
This issue occurs because special user profiles are not migrated when a Windows file server is upgraded to Windows Server 2008. Therefore, when you try to access the encrypted files, the upgraded file server does not recognize the special profile. Then, the upgraded file server creates a new profile that has new EFS encryption keys. These new keys differ from the original keys. Therefore, you cannot access the previously encrypted files.
When a user encrypts a file that is stored on a Windows file server, the actual encryption of the file occurs on the file server. A special user profile is created on the Windows Server 2003-based file server. This special user profile is used to create and store your Encrypting File System (EFS) encryption keys. Afterward, every time that a user accesses the encrypted files on the file server, this special profile is loaded on behalf of the user. The previously created encryption keys are used.
To resolve this problem please obtain the Post Upgrade EFS Recovery Tool from the Microsoft Download Center.
Note The EFS recovery Tool is not required when Windows Server 2003-based computers that have EFS files are upgraded in-place to Windows Server 2008 R2.
The following file is available for download from the Microsoft Download Center:
Download the Post Upgrade EFS Recovery Tool 1.0 package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online servicesMicrosoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
The EFS Recovery Tool scans the Profiles directory on the upgraded server for unregistered accounts that have EFS keys. If any accounts are found, the tool creates new profiles and copies the EFS keys to these new profiles. The tool then archives the unregistered profiles into the ~efs.000 file.
How to run the EFS Recovery ToolYou must run this tool from an elevated command prompt on the server. There are two switches that you can run together with EfsUpgRecoverAccts.exe:
Detect only. Scan for unregistered profiles to recover, but do not perform any recovery.
EfsUpgRecoverAccts /R > C:\Efsfix.logThe return code indicates the level of the issue that is encountered when you run the tool:
- 0: No warnings or errors reported.
- 1: Warning(s), please review the output.
- 2: Error(s), please review the output.
- 3+: A fatal error prevented the tool from completing.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 948690 - Last Review: 09/17/2009 21:55:36 - Revision: 2.0
Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008
- kbexpertiseinter kbtshoot kbprb KB948690