Letting Others Open Encrypted Files on a Network Share

I am having trouble allowing others access to files I (or anyone else, for
that matter) encrypt on our File Server.

A little backgrond information. I am running a W2k3 AD network with one
Domain and two OU's. Each OU has other OU's under them. On one of our File
Servers (running W2k3 Server) we have setup a share that has an encrypted
folder, along with other folders that are not encrypted, to hold files that
contain sensitive information. Permissions for this share include a Group
with full permissions whose members are those authorized to view and
manipulate these files. The idea is to have the user (a member of the Group)
move the file into the encrypted folder once they have processed it, thus
encrypting it. From time to time these encrypted files need to be re-opened
for examination, not only by the one who has encrypted it, but also certian
other members of the Group, and that is where my problem lies. The one who
moved the file into the encrypted folder can open the file, no problem.
However, when that person (the one who moved it there) adds another person
(individuals, not the Group) to the list of those authorized to open the
file, the added person is not able to open the file, they get an Access
Denied message.

I have had each user involved encrypt a file on their PC to set an
encryption certificate and trusted the File Server in question for
delegation. I've had a couple of the users move unencrypted files into this
encrypted folder. The file becomes encrypted and the user who moved it there
can open it, etc. But, when they go to add other users, even though they can
find the other user's certificates and add them, those other user's still
cannot open the file, only the one who moved it there in the first place can.
I have tried accessing these files under the Domain Recovery Agent account
and adding user's to the files that way, but still no luck.

Is there something that I am missing? Some setting -- or settings -- that
need to be enabled / disabled? Or, can such a thing as I am trying to attempt
even be accomplished? Any help, suggestions, or directions to further
information would be greatly appreciated. Also, if you need more information
on what I am trying to do please let me know.

Thanks!

"tfw" <tfw@discussions.microsoft.com> wrote in message
news:A0FB48F7-68CC-4001-A9CA-E218663A4302@microsoft.com...
>I am having trouble allowing others access to files I (or anyone else, for
> that matter) encrypt on our File Server.
>
> A little backgrond information. I am running a W2k3 AD network with one
> Domain and two OU's. Each OU has other OU's under them. On one of our File
> Servers (running W2k3 Server) we have setup a share that has an encrypted
> folder, along with other folders that are not encrypted, to hold files
> that
> contain sensitive information. Permissions for this share include a Group
> with full permissions whose members are those authorized to view and
> manipulate these files. The idea is to have the user (a member of the
> Group)
> move the file into the encrypted folder once they have processed it, thus
> encrypting it. From time to time these encrypted files need to be
> re-opened
> for examination, not only by the one who has encrypted it, but also
> certian
> other members of the Group, and that is where my problem lies. The one who
> moved the file into the encrypted folder can open the file, no problem.
> However, when that person (the one who moved it there) adds another person
> (individuals, not the Group) to the list of those authorized to open the
> file, the added person is not able to open the file, they get an Access
> Denied message.
>
> I have had each user involved encrypt a file on their PC to set an
> encryption certificate and trusted the File Server in question for
> delegation. I've had a couple of the users move unencrypted files into
> this
> encrypted folder. The file becomes encrypted and the user who moved it
> there
> can open it, etc. But, when they go to add other users, even though they
> can
> find the other user's certificates and add them, those other user's still
> cannot open the file, only the one who moved it there in the first place
> can.
> I have tried accessing these files under the Domain Recovery Agent account
> and adding user's to the files that way, but still no luck.
>
> Is there something that I am missing? Some setting -- or settings -- that
> need to be enabled / disabled? Or, can such a thing as I am trying to
> attempt
> even be accomplished? Any help, suggestions, or directions to further
> information would be greatly appreciated. Also, if you need more
> information
> on what I am trying to do please let me know.
>
> Thanks!

You have to share each file. See the following MS article.

http://support.microsoft.com/defaul...;308991&sd=tech

Efs seems to work best if only one user accesses a file. Multiple user
access is complicated and doesn't always work as expected.

Kerry

"Kerry Brown" wrote:

> "tfw" <tfw@discussions.microsoft.com> wrote in message
> news:A0FB48F7-68CC-4001-A9CA-E218663A4302@microsoft.com...
> >I am having trouble allowing others access to files I (or anyone else, for
> > that matter) encrypt on our File Server.
> >
> > A little backgrond information. I am running a W2k3 AD network with one
> > Domain and two OU's. Each OU has other OU's under them. On one of our File
> > Servers (running W2k3 Server) we have setup a share that has an encrypted
> > folder, along with other folders that are not encrypted, to hold files
> > that
> > contain sensitive information. Permissions for this share include a Group
> > with full permissions whose members are those authorized to view and
> > manipulate these files. The idea is to have the user (a member of the
> > Group)
> > move the file into the encrypted folder once they have processed it, thus
> > encrypting it. From time to time these encrypted files need to be
> > re-opened
> > for examination, not only by the one who has encrypted it, but also
> > certian
> > other members of the Group, and that is where my problem lies. The one who
> > moved the file into the encrypted folder can open the file, no problem.
> > However, when that person (the one who moved it there) adds another person
> > (individuals, not the Group) to the list of those authorized to open the
> > file, the added person is not able to open the file, they get an Access
> > Denied message.
> >
> > I have had each user involved encrypt a file on their PC to set an
> > encryption certificate and trusted the File Server in question for
> > delegation. I've had a couple of the users move unencrypted files into
> > this
> > encrypted folder. The file becomes encrypted and the user who moved it
> > there
> > can open it, etc. But, when they go to add other users, even though they
> > can
> > find the other user's certificates and add them, those other user's still
> > cannot open the file, only the one who moved it there in the first place
> > can.
> > I have tried accessing these files under the Domain Recovery Agent account
> > and adding user's to the files that way, but still no luck.
> >
> > Is there something that I am missing? Some setting -- or settings -- that
> > need to be enabled / disabled? Or, can such a thing as I am trying to
> > attempt
> > even be accomplished? Any help, suggestions, or directions to further
> > information would be greatly appreciated. Also, if you need more
> > information
> > on what I am trying to do please let me know.
> >
> > Thanks!
>
> You have to share each file. See the following MS article.
>
> http://support.microsoft.com/defaul...;308991&sd=tech
>
> Efs seems to work best if only one user accesses a file. Multiple user
> access is complicated and doesn't always work as expected.
>
> Kerry
>
>
>

"Kerry Brown" wrote:

> "tfw" <tfw@discussions.microsoft.com> wrote in message
> news:A0FB48F7-68CC-4001-A9CA-E218663A4302@microsoft.com...
> >I am having trouble allowing others access to files I (or anyone else, for
> > that matter) encrypt on our File Server.
> >
> > A little backgrond information. I am running a W2k3 AD network with one
> > Domain and two OU's. Each OU has other OU's under them. On one of our File
> > Servers (running W2k3 Server) we have setup a share that has an encrypted
> > folder, along with other folders that are not encrypted, to hold files
> > that
> > contain sensitive information. Permissions for this share include a Group
> > with full permissions whose members are those authorized to view and
> > manipulate these files. The idea is to have the user (a member of the
> > Group)
> > move the file into the encrypted folder once they have processed it, thus
> > encrypting it. From time to time these encrypted files need to be
> > re-opened
> > for examination, not only by the one who has encrypted it, but also
> > certian
> > other members of the Group, and that is where my problem lies. The one who
> > moved the file into the encrypted folder can open the file, no problem.
> > However, when that person (the one who moved it there) adds another person
> > (individuals, not the Group) to the list of those authorized to open the
> > file, the added person is not able to open the file, they get an Access
> > Denied message.
> >
> > I have had each user involved encrypt a file on their PC to set an
> > encryption certificate and trusted the File Server in question for
> > delegation. I've had a couple of the users move unencrypted files into
> > this
> > encrypted folder. The file becomes encrypted and the user who moved it
> > there
> > can open it, etc. But, when they go to add other users, even though they
> > can
> > find the other user's certificates and add them, those other user's still
> > cannot open the file, only the one who moved it there in the first place
> > can.
> > I have tried accessing these files under the Domain Recovery Agent account
> > and adding user's to the files that way, but still no luck.
> >
> > Is there something that I am missing? Some setting -- or settings -- that
> > need to be enabled / disabled? Or, can such a thing as I am trying to
> > attempt
> > even be accomplished? Any help, suggestions, or directions to further
> > information would be greatly appreciated. Also, if you need more
> > information
> > on what I am trying to do please let me know.
> >
> > Thanks!
>
> You have to share each file. See the following MS article.
>
> http://support.microsoft.com/defaul...;308991&sd=tech
>
> Efs seems to work best if only one user accesses a file. Multiple user
> access is complicated and doesn't always work as expected.
>
> Kerry
>
>
>

Kerry,

Thanks for the reply, but i do have these permissions set on the Folder
where these encrypted filse set. In fact, i havedone everything I could find
that MS says to do to have this sharing, but other users still cannot access
the encrypted files when the one who has placed it has given them permission
per the instructions.

Thanks.