Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

EFS Assistant - Encrypted Outlook Folder Issues

210 views
Skip to first unread message

Blues

unread,
Jan 8, 2009, 3:10:11 PM1/8/09
to
Hello Fellow Geeks!

Recently deployed EFS to all my users for the sole purpose of encrypting the
Outlook folder cache(.OST and .PST files). So far so good except for about 20
or so users having issues as a result of the folder being encrypted:

When launching Outlook users either receive 'Access Denied' errors to a
number of critical files in the Outlook folder, or receive 'An extension
failed to initialize' error for the extend.dat file. This causes Outlook to
either be completely useless, or the user is able to open and use Outlook,
but they get errors popping up every 5 minutes.

My initial reaction is that the users certs have become corrupt for some
reason, as they are also unable to decrypt the Outlook folder(with Outlook
not running), but in looking at the users cert store and the hash on the
encrypted files, everything looks normal.

If the .OST file becomes inaccessable, we can just delete it and rebuild the
users Outlook profile, but when a .PST file is affected, the only solution is
to recover using the Key Recovery Agent(skipping the user key restore).

In a few cases cipher.exe /U will allow the users to regain access to the
encrypted files. Others have to be recovered with the KRA.

Has anyone come across this issue, or have any idea what may be causing it?

Thanks for any assistance anyone can provide!

--
Blues

John Turner (CDW Corporation)

unread,
Jan 8, 2009, 3:40:32 PM1/8/09
to
I'm assuming the reason your getting access denied errors is that the
Outlook files are in use while the EFS assistant is running.

My recommendation would be add the folder location, (i.e. on Vista
%LOCALAPPDATA%\Microsoft\Outlook) to the EFS Assistant default red list and
either script or manually encrypt OST/PST files to avoid corruption.


Thanks!
-John C. Turner
Microsoft Security Consultant / CDW Corporation

"Blues" <Bl...@discussions.microsoft.com> wrote in message
news:B102C92F-AD3A-4EA0...@microsoft.com...

Blues

unread,
Jan 8, 2009, 4:31:43 PM1/8/09
to
As I understand it, EFS will not encrypt any of the files if they are in use
by another program, hence the reason I usually have to close Outlook when
decrypting the Outlook folder. Thanks!
--
Blues

crazy907

unread,
Feb 9, 2009, 2:31:01 PM2/9/09
to
Hey Guys, were you able to script the encyption of the OST files? If so
could someone explain that process

Blues

unread,
Feb 9, 2009, 2:43:01 PM2/9/09
to
I used the "EFS Assistant", a small agent that allows you to control EFS
encryption using Group Policy. It encrypts the user's Outlook folder by
default, but I wouldn't recommend doing it. I tested it and subsequently
rolled it out to my users, only to find that many of them started getting
access denied errors when opening Outlook. Also, their PST files became
corrupted. Opened a support case with Microsoft and we couldn't come up with
a solid answer as to why it was happening, so I rolled back the EFS
implementation and am looking at other options.
--
Blues

crazy907

unread,
Feb 9, 2009, 2:54:01 PM2/9/09
to
Is it possible to script the OST encryption? I am looking to implement OST
encryption but I need to automate the process.
0 new messages