Profile corruptted - Outlook unable to open EFS Encrypt pst. Cert & permission checked. RRS feed

  • General discussion

  • Hi all,

    Thanks in advanced for your advises :D!

    The situation is as follow:

    1st part - UNABLE TO ENCRYPT

    - Our AD server is 2012 R2 v. 6.3 Build 9600.

    - Users below are using Windows 7 Professional and joined domain.

    - I created new certificate in Public Key Policy/ Encrypting File System as Administrator and push down to the domain group

    - We started doing encryption EFS for our users...most are ok, except one PC A.

    - User A who is using PC A we cant encrypt his files. Pop up is 'The Parameter is Incorrect' when doing EFS encryption.

    - if User B log in to PC A, his files on PC A can be encrypted. If user A log in to user B PC, his file can be encrypted as well.

    - So seems like issue is only at PC A and only with user A

    so my 1st Question: Why is this happening and how to prevent this? (possibility is user profile corrupted but why and where it's corrupted?


    - I decided to copy all User A files (including Outlook pst), delete his profile and recreated new profile with same name

    - Copy all his file over, set up outlook with old pst file again. And start doing encryption include outlook files.

    - Encryption went smoothly.

    - Next day (or may be when user restart etc..) when open, Outlook prompt Access denied for his pst file.

    - All other files that was encrypted together with pst files (doc, xls etc.) are able to open and use normally

    - At the same time, one more user reported having this Outlook access denied issue. This user does not have the 1st Part - Unable to Encrypt nor profile issues.

    so my 2nd Question: What happened :D! We have done encryption for about over 20 other users and they don't have the issues. 2 out of 25 have problem with using encrypted files.


    - As user needs to use the PC immediately, I need to copy back all the files to users profiles unencrypted and let them use, I left only the encrypted pst file aside for troubleshooting.

    - Troubleshooting: Tried to decrypt 'user A encrypted-Outlook access denied .pst ' without success.

    - Check encryption certificate, thumbprint, recovery certificate (from AD server) and thumbprint, all are the same... but unable to decrypt even while logged in under User A account.

    - I also unable to copy/move the encrypt files, Error popup is 'File Access denied. You required permission from domain\UserA to make changes to this file'. And I was log in under User A with User A have all permission for the file.

    so my 3rd Question: What happened? :D Is there any other thing to check beside the certficates/thumbprint/user account/user permissions? I suspected this issue does not related to 1st Part Unable to encrypt or Profile corrupted - because there is another user also have this outlook access denied issue.

    We need to encrypt all user folders and if we cant decrypt after encrypt ... BIG BIG issue.

    All advise are welcome... I also believe I could miss out something along the process.

    Again, thank you very much and sorry for the long thread. Just want to be sure that all info are provided

    • Edited by dgbao Wednesday, April 10, 2019 3:52 AM update for clearer titles
    Wednesday, April 10, 2019 2:22 AM