EFS Troubleshooting: Access Denied. You would need permission to perform this operation
Introduction
In this article, we will look into the process while encrypting the files and one of the issue related to the EFS.
EFS is an inbuilt solution in windows for encrypting files and folders.
**How EFS works?
**
Consider a scenario were you are encrypting a file in your computer by right click-->general--->advanced option
- Now, while performing this operation it will first check in registry to find if there are any EFS thumbprint which is already exist. If it is able to get one, the same certificate will be used for encrypting the current file.
- It also checks in the User's personal store if there is any certificate with intended purpose of EFS
- Based on the above, it then checks if the machine is domain joined or not
- In case if the machine is not domain joined, it creates a self signed certificate with intended purpose of EFS
- If this is a domain joined machine it will try to find a Enterprise Certificate Authority Server. If none, it creates a self signed certificate with the intended purpose EFS.
- If there is an Enterprise Certificate Authority present,it will query for the certificate templates published in that CA server with intended purpose as EFS. Once it gets the certificate template, it will verify the template permission and then request for a certificate.
- If the certificate request from CA fails or CA does not have any certificate with intended purpose as EFS, generates a self signed certificate
- Once the file has been encrypted, you can find the certificate used for encryption from the User personal store or by going to the advanced option of the file. This will have the user certificate information that was used to encrypt the file and the recovery certificate information that can be used in case if you lose the user certificate.
Scenario
‘Folder Access Denied. You would need permission to perform this operation’ while encrypting the file or 'You'll need to provide administrator permission to copy to this folder' error while trying to copy the encrypted files.
Cause
EFS Group Policy had an expired data recovery agent certificate
Solution
Removed the expired data recovery agent certificate from the EFS group policy settings
Troubleshooting Steps
- First steps will be to prob the users to get the complete information on the issue along with the error and what steps they are performing while they receive the error.
- Make sure to get the environmental details and all the settings related to the EFS. Get a gpresult /h gp.html from the problem and working machine (if any) and go through the EFS related settings. Also, check if EFS is configured through any other tools.
- Check one of the problem file and check the certificates in it.
- Also, check details on one of the encrypted files which are accessible (if any).
- Confirm that the user EFS certificate is/was not corrupted using certutil. You can use the certutil -user -repairstore my <thumbprint of the certificate>
- Make sure the EFS settings are getting applied to the machine.
- Check the recovery agent certificate that is configured.
- In this scenario, issue was causing because one of the recovery agent certificate that was configured and pushed through the group policy was expired.
- Backup the expired recovery agent certificate with the private key and remove it from the group policy to resolve the issue since, we will not be able to renew the certificates that are already expired.
Things to remember
- While removing the recovery agent certificate, make sure you configure and add a valid recovery agent certificate to all the files.
- Running cipher /u on the user machine will update the encrypted files with the new recovery agent certificates. You can also run this as a logon script if there are more machines.
- Failing to follow above steps for updating the recovery agent certificate will cause issues when you want to recover the files using new recovery agent when any user lost access to his certificates and wanted to recover the files. You can recover the old files using the expired recovery agent certificates provided the old certificate is present in the recovery agent field.
- Encrypting the files will fail even when you have valid recovery agent certificates along with an invalid/expired recovery agent certificate.
- First Data recovery agent in a domain will be the active directory built-in Administrator and will be stored in the user profile of first domain controller.
Conclusion
In this article we have learnt what happens when we encrypt the files and one of the common EFS issue and troubleshooting steps. Since these kind of small changes can cause domain level impact, make sure you are monitoring the critical certificates and the complete PKI Infra.
Reference
- https://support.microsoft.com/en-us/help/937536/error-message-when-client-computers-encrypt-a-file-in-a-windows-server
- https://social.technet.microsoft.com/Forums/windows/en-US/f00e88ac-4082-4b75-a474-0e343f1961e0/efs-unable-to-encrypt-a-file-in-windows-7-invalid-recovery-certificate?forum=w7itprosecurity
See Also
- https://blogs.technet.microsoft.com/pki/2011/10/28/key-recovery-vs-data-recovery-differences/
- https://blogs.technet.microsoft.com/askds/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning/
- https://blogs.technet.microsoft.com/askds/2008/01/07/replacing-an-expired-dra-certificate/