EFS Add Users Command Line Tool?

[Seasanctuary]

Is there now a command prompt utility to add users to an EFS access
list?

From what I can tell:
1) Microsoft has not released one.
2) W2k/XP/2k3 have an API function AddUsersToEncryptedFile that could
be used to create such a tool.

Several people have asked about this (including in this newsgroup), so
I'd like to know if anyone has heard of a recent implementation...or
done one yourself...or at least started one yourself.

If not, I'll probably have to make one from scratch.

I appreciate any news!

 

[Drew Cooper [MSFT]]

I can confirm both 1 and 2. I don't know of any publicly-available cmdline
tools that do that yet.

AddUsersToEncryptedFile is pretty straightforward. Other details, like how
to get the correct certificate to add, can get more complicated. When users
encrypt files on an XP/2003 machine, their EFS cert is copied into the
TrustedPeople store - that's a simple way to know that the cert was used by
a given user on that machine. Unfortunately, there's no good trick on
Win2k. Pulling from the AD is more complicated and won't necessarily pick
the right cert unless you can guarantee that the users will have roaming
profiles *or* only log onto one machine.

Good luck.

 

[Seasanctuary]

Thanks, Drew. I'll take those considerations into account.

This morning I tried going a slightly different route...specifying a
group of users on one "template" file, and then using
DuplicateEncryptionInfoFile to copy the efs metadata to all the files
in a tree.

And that works great...for the metadata. Unfortunately, it has the
side effect of zeroing out all the files in the true. There's a
dwCreationDistribution argument that per MSDN only allows you to pick
CREATE_ALWAYS or CREATE_NEW to open the existing files. I really want
to use OPEN_EXISTING, but it doesn't appear to work.

Here's the C# line I'm using:
Win32.DuplicateEncryptionInfoFile(sourceFile, destinationFile,
Win32.CreationDistribution.CreateNew, Win32.FileAttributeNormal,
IntPtr.Zero);

And here's the dllimport:
[DllImport("Advapi32.dll", CharSet=CharSet.Auto)]
static public extern int
DuplicateEncryptionInfoFile(string sourceFile,
string destinationFile,
CreationDistribution creationDistribution,
int destinationFileAttributes,
IntPtr securityAttributes);

If anyone knows how I can make this OPEN rather than CREATE the data
files I'm trying to change efs permission on, I'd be very grateful.

Thanks!

 

[Drew Cooper [MSFT]]

The Dup API won't do what you want. You really do have to add the users to
each file one at a time.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks, Drew. I'll take those considerations into account.

This morning I tried going a slightly different route...specifying a
group of users on one "template" file, and then using
DuplicateEncryptionInfoFile to copy the efs metadata to all the files
in a tree.

And that works great...for the metadata. Unfortunately, it has the
side effect of zeroing out all the files in the true. There's a
dwCreationDistribution argument that per MSDN only allows you to pick
CREATE_ALWAYS or CREATE_NEW to open the existing files. I really want
to use OPEN_EXISTING, but it doesn't appear to work.

Here's the C# line I'm using:
Win32.DuplicateEncryptionInfoFile(sourceFile, destinationFile,
Win32.CreationDistribution.CreateNew, Win32.FileAttributeNormal,
IntPtr.Zero);

And here's the dllimport:
[DllImport("Advapi32.dll", CharSet=CharSet.Auto)]
static public extern int
DuplicateEncryptionInfoFile(string sourceFile,
string destinationFile,
CreationDistribution creationDistribution,
int destinationFileAttributes,
IntPtr securityAttributes);

If anyone knows how I can make this OPEN rather than CREATE the data
files I'm trying to change efs permission on, I'd be very grateful.

Thanks!


"Drew Cooper [MSFT]" <[email protected]> wrote in message

I can confirm both 1 and 2. I don't know of any publicly-available cmdline
tools that do that yet.

AddUsersToEncryptedFile is pretty straightforward. Other details, like how
to get the correct certificate to add, can get more complicated. When users
encrypt files on an XP/2003 machine, their EFS cert is copied into the
TrustedPeople store - that's a simple way to know that the cert was used by
a given user on that machine. Unfortunately, there's no good trick on
Win2k. Pulling from the AD is more complicated and won't necessarily pick
the right cert unless you can guarantee that the users will have roaming
profiles *or* only log onto one machine.

Good luck.

rights.