If You Forget, You Will Regret
If you've backed up your private key and EFS certificate, you can always restore it to recover your encrypted files. This is true both in Windows 2000 and Windows XP/2003. The same is true if you have a DRA configured at the time the files were encrypted, because the DRA can recover your files for you. However, things get rather messy when a user forgets the password. Let's look at both Windows 2000 and Windows XP behavior in that scenario.
In Windows 2000, if a user forgets a password, the administrator can reset the password and it has no effect on the user's encrypted files. This is true whether the user logs onto the domain or to a standalone computer in a workgroup. However, a hacker can easily use a third-party tool such as Ntpassword to replace the password hash in the local Security Accounts Manager (SAM)and gain complete access to the user's encrypted files by logging on as that user.
In Windows XP, Microsoft has improved the security on EFS certificates; the certificate's private keys are now protected with your local account's password. If a user forgets the password and the administrator resets the password for a domain account, no harm is done; the user can continue to access the encrypted files. In a workgroup environment, when the local administrator resets a user's password, the Data Protection API (DPAPI) master key is lost and the user can't access the private key associated with the encrypted files. The DPAPI master key is used to help protect EFS private keys and other certificate-based functions. When the administrator tries to reset the password, the warning shown in Figure 1 is displayed. In short, the user cannot access encrypted data on a standalone Windows XP computer once an administrator resets the user's password. Furthermore, even if a hacker can log on as the user by using a utility such as Ntpassword, the hacker cannot read the encrypted files in Windows XP in this scenario.
When explaining this behavior (password resetting causes the encrypted data to become inaccessible), some Microsoft documents state: "This behavior is designed as a security feature against offline attacks." This is a reasonable explanation. Other Microsoft documents say that this behavior was designed to prevent corrupt network administrators from simply resetting your password and reading your confidential documents. This doesn't seem to be a very good argument. Although it's true that if an administrator could reset the password he or she could read your encrypted files, there's not much you could really do to prevent an administrator from reading encrypted files, even with this new feature.
Some of my tests showed that if the user's password is changed back to the original password, the EFS data becomes accessible again. Let's say a user logs on with a password of ABC and encrypts her files. After the user logs off and leaves for a vacation, she forgets her password. When she gets back, the administrator resets her password to XYZ. The user logs on with the new password but can no longer access her encrypted data. However, if the user later remembers her original password and the administrator resets the password to ABC, the user can access her encrypted data again. A user remembering the old password may not be a likely scenario in the real world, but knowing this possibility may help you recover your lost data someday. Keep in mind that if Windows XP is reinstalled on that computer, encrypted data will be lost regardless of what password is used. As mentioned earlier, this discussion assumes that the certificates and private keys weren't backed up and that there is no DRA.