Hey Everyone!

I'm having quite a bit of trouble with Windows EFS encrypted files currently. I recently migrated backup systems for the server, found that the backups are completing with errors, and those particular files are encrypted through EFS. I was able to decrypt a majority of them because the one user that (maybe unknowingly) encrypted these files was still in active directory.

Unfortunately, the other two users that have encrypted files are no longer in AD. I can't simply take control of the file through permissions and decrypt it because of the certificates assigned to the old users. I can't export the old user private keys because they weren't set up with the function to export by the previous tech. The certs are still in the server, so I'm unsure if they can be leveraged at all?

I've tried (not really thinking it would work) recreating the old user account to see if maybe the naming convention was enough to trick Windows - but no luck. So I think I have two options potentially, figuring out a way to assign the old certs to another user (which I'm unsure is possible without the private keys), or figure out how to utilize the admin recovery cert.

The admin account was assigned a recovery cert, and that admin account is still in play. Maybe I'm not googling the right terms, but I can't find any way to actually decrypt the file using the recovery cert instead of the user cert that encrypted the file. I tried signing into the admin account and decrypting the files like normal, but I get access denied. I've tried decrypting them through cipher on the cmd, access denied. I've tried adding additional certs to the files/folders (including the admin cert), yet again access denied.

Any suggestions? Thanks a bunch in advance!

The server is running Windows Server 2012 R2 Version 6.3 (Build 9600)