I have a Virtual Machine running on my Windows Server 2008 computer that originally was received by me encryped, as the builder of the VM did it on a MAC, which decrypts files by default.

I never thought to decrypt these files, as they automatically 'decrypt' when you have permission over them, so the VM has been running for over a year despite the encryption.

I just upgraded my computer to Domain Controller (dcpromo.exe).

Now when I try to access/run the VM, I can't because I don't have permission to decrypt the files as that was on another logon (local administrator) and now I am the domain administrator.

Apparently the local admin is totally nuked when you upgrade to domain controller.

I have tried EVERYTHING -

  • taking ownership of the files, which works. Doesn't do anything for me.
  • Adding full control to everyone on the files.
  • I go to File Properties > Advanced > Details (under encryption) > Users who can access this file. The only user is administrator@localcomputername, and there is a cert number. I try adding a new cert, I don't have permission.

I don't have permission to:

  • Decrypt the file (access is denied).
  • Copy the file (to another computer) - access denied.

I am totally stumped and this VM is a production machine and needs to get up right now.

Does anyone have any ideas?

  • 4
    It is possible to recover encrypted files, but you need your account keys. If you can get the SID of the old account, you may be able to duplicate the account, but it is easier if you can restore the account and associated files itself. Are there any backups of either the VM’s files or guest OS’s files? Make sure to check for backups of both.
    – Synetech
    Commented Nov 12, 2013 at 1:23
  • This probably one of the reasons why i never trust a Microsoft VM ....
    – user218473
    Commented Nov 17, 2013 at 15:06
  • you probably need to tell us more details about the encryption, as it is not supported officially. technet.microsoft.com/en-us/library/cc742509.aspx
    – user218473
    Commented Nov 17, 2013 at 15:16
  • try read this and see if it help: support.microsoft.com/kb/276239
    – user218473
    Commented Nov 17, 2013 at 15:22

2 Answers 2


On Windows systems using EFS encryption, files are encrypted using a symmetric random passwords. Those passwords are encrypted using a local user certificate. In order to access those certificates you need the local user password. Generally speaking, the user accounts are not deleted but renamed so if you're able to export the encryption certificate from the original account and import that into the new one you should be able to access the encrypted files. Most of the technical info that you need is here: encrypted file system recovery. Other way is by using a commercial product, but again it won't work without the certificates so be sure you have them before buying!. I've used Advanced EFS Recovery a long time ago and it searched for the certificates on the disk and decrypted the files. EFS Recovery

Hope that helps!

  • 3
    Even if the old account is truly deleted, it should be possible to recover it (and its certificates) from a system backup, right? Commented Nov 16, 2013 at 21:18
  • 1
    It depends on what are you backing up
    – DrNoone
    Commented Nov 18, 2013 at 19:24

When you install Active Directory, it does not remove the local accounts. The local SAM database (Security Accounts Manager) is left intact - it is just not used any more.

If you boot the machine into Directory Services Restore Mode (DSRM) by tapping F8 during the boot (or maybe even in Safe mode), then the AD database is not used and the local SAM DB is used instead. In this case, you may still be able to use the old local administrator account and decrypt your files.

If this doesn't work, the old EFSDump utility, available as a free download, might still function on your platform. If it does, it will tell you which user accounts, besides the original owner, can decrypt the file. Another such utility is Efsinfo from the Microsoft Windows Resource Kit.

  • It sounds like you’re saying that the local administrator can decrypt all EFS-encrypted files, even if not listed as an authorized accessor. Is that what you’re saying? Because it’s a little shocking, if true. Commented Nov 16, 2013 at 21:20
  • 1
    Yes, EFS doesn't distinguish between the user who originally encrypted a file and the recovery agent. The idea is to have one nominated account that can deal with encrypted files stuck in public shares. Each encrypted file has one unique key which is however encrypted twice, for the owner and for the recovery agent. Unfortunately both accounts were the same in your case. At least the above utilities might give some useful account names which will aid in reviving the local admin. You may find more info for example in the article Decrypting EFS.
    – harrymc
    Commented Nov 16, 2013 at 21:40
  • See my edit above.
    – harrymc
    Commented Nov 17, 2013 at 12:46
  • 1) I can confirm the last part about local admin still being available (albeit disabled) until you boot in safe mode (F8). 2a) OP: Since this is a production machine you do have backups? Right? 2b) Running apps on a DC is a bad idea. Leave the DC clean. If needed put the DCs on very low spec hosts, or even in a VM, but do not do anything which worsens the security of a DC. That is a really really bad idea.
    – Hennes
    Commented Nov 17, 2013 at 13:08
  • Also, while risking like a broken record (for the modern generation: "like a Nyan cat loop"): For a production node make and entry in the emergency recovery document and test those steps.
    – Hennes
    Commented Nov 17, 2013 at 13:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .