The November 2009 Challenge
An IT administrator wrote to me to ask for help. He supports the client computers in the company's accounting department, and each computer has a single user; all users in this department log on with local accounts.
Recently, the company's IT department decided to switch to strong passwords with a specific number of characters and rules about capital letters and special characters. He changed the local account passwords for all 40 users in his group and gave each user his/her new password. Many of the users in his group use Windows' encrypted data features, and those users can no longer get to their encrypted data. Nobody has a problem logging on locally with the new password, so he can't figure out why the encrypted data is not available. Can you explain what happened?
Answer
For local accounts, the only way to change passwords and retain access to encrypted data is to have the user change his or her own password. If an administrator changes the password, access to encrypted data is lost. Often this is accompanied by the loss of access to email (depending on the company's email application and the way users are configured for access).
When a user sets up encrypted files, the encryption certificate includes the user's current password. When the user changes the password (in the User Accounts dialog box or by using a password reset disk), Windows uses the previous password to decrypt the master key and then re-encrypts the master key with the new password. Windows doesn't perform this task if anyone except the user changes the password.
Have the user change the password back to the original password, and then change the password. Administrator, keep out! Wait, I take that back: Administrator, encourage (or enforce) rules about password reset disks. Invest in a flash drive for each user and save yourself and your users a lot of headaches that forgotten passwords and other password issues bring.
October 2009 Reader Challenge Winner
Congratulations to Bill Morris of North Carolina, the winner of our October 2009 Reader Challenge. He won a copy of Windows 7: The Definitive Guide from O'Reilly Media.
Related Reading: