Sharing Folders using EFS in XP Pro

[Douglas Pribyl]

I am stumped and I hope that someone can help me. I have
a customer with a Windows XP Pro computer that has two
users. These two users have placed all of their shared
files in the "Shared Documents" folder.

They have very confidential information stored in this
folder and have tried to encrypt the folder using the
built in Encrypted File System software. It is very easy
to encrypt the folder, but only the user that encrypts it
has access to the files making it useless.

There are currently thousands of files in this shared
folder, and I am told by Microsoft that I have to click
on each indvidual file and add the second user's account
for shared access to these encrypted files. This is
absolutely absurd and impossible.

I need to find out if there is a patch or a workaround
that allows you to add more than one user to an encrypted
folder and thus give them access to all encrypted files
in that folder and all subfolders as well. If
Microsoft's EFS product can't do this, is there a product
that integrates with Microsoft's File Explorer so that I
can still right click on a folder, have the option to
encrypt it, and then designate the users that can access
it?? Being able to only share individual files makes no
sense to me at all. Any help with this matter would be
greatly appreciated.

 

[Shenan Stanley]

I am stumped and I hope that someone can help me. I have
a customer with a Windows XP Pro computer that has two
users. These two users have placed all of their shared
files in the "Shared Documents" folder.

They have very confidential information stored in this
folder and have tried to encrypt the folder using the
built in Encrypted File System software. It is very easy
to encrypt the folder, but only the user that encrypts it
has access to the files making it useless.

There are currently thousands of files in this shared
folder, and I am told by Microsoft that I have to click
on each indvidual file and add the second user's account
for shared access to these encrypted files. This is
absolutely absurd and impossible.

I need to find out if there is a patch or a workaround
that allows you to add more than one user to an encrypted
folder and thus give them access to all encrypted files
in that folder and all subfolders as well. If
Microsoft's EFS product can't do this, is there a product
that integrates with Microsoft's File Explorer so that I
can still right click on a folder, have the option to
encrypt it, and then designate the users that can access
it?? Being able to only share individual files makes no
sense to me at all. Any help with this matter would be
greatly appreciated.

As far as I understand it, you can only grant access to a specific file -
one at a time - as you have stated. I do not believe there is a way to do a
folder in Windows XP.

I do believe this was "remedied" in Windows 2003:
http://support.microsoft.com/?kbid=324897#22

(As you can see, If you have these files stored on a Windows 2003 server and
shared among the two - you MAY be able to do what you wish..)

 

[Drew Cooper [MSFT]]

The other Microsoftie was telling the truth - through the UI you have to add
users one file at a time. It would be possible to write a tool that called
the AddUsersToEncryptedFile API to automate the process if you're a coder.

And it works the same way on Server 2003.

As far as 3rd-party file encryption goes, I can't recommend any but maybe
someone else (who isn't a Microsoft employee) on the newsgroup can.

 

[Shenan Stanley]

I am stumped and I hope that someone can help me. I have
a customer with a Windows XP Pro computer that has two
users. These two users have placed all of their shared
files in the "Shared Documents" folder.

They have very confidential information stored in this
folder and have tried to encrypt the folder using the
built in Encrypted File System software. It is very easy
to encrypt the folder, but only the user that encrypts it
has access to the files making it useless.

There are currently thousands of files in this shared
folder, and I am told by Microsoft that I have to click
on each indvidual file and add the second user's account
for shared access to these encrypted files. This is
absolutely absurd and impossible.

I need to find out if there is a patch or a workaround
that allows you to add more than one user to an encrypted
folder and thus give them access to all encrypted files
in that folder and all subfolders as well. If
Microsoft's EFS product can't do this, is there a product
that integrates with Microsoft's File Explorer so that I
can still right click on a folder, have the option to
encrypt it, and then designate the users that can access
it?? Being able to only share individual files makes no
sense to me at all. Any help with this matter would be
greatly appreciated.

As far as I understand it, you can only grant access to a specific
file - one at a time - as you have stated. I do not believe there
is a way to do a folder in Windows XP.

I do believe this was "remedied" in Windows 2003:
http://support.microsoft.com/?kbid=324897#22

(As you can see, If you have these files stored on a Windows 2003
server and shared among the two - you MAY be able to do what you
wish..)

The other Microsoftie was telling the truth - through the UI you have
to add users one file at a time. It would be possible to write a
tool that called the AddUsersToEncryptedFile API to automate the
process if you're a coder.

And it works the same way on Server 2003.

As far as 3rd-party file encryption goes, I can't recommend any but
maybe someone else (who isn't a Microsoft employee) on the newsgroup
can.

Wait.. Wait.. Wait..

You mean that you still have to do it file-by-file in Windows 2003 server as
well. Doesn't the instructions found at :

http://support.microsoft.com/?kbid=324897#22

Specify that you can add a user (or remove) from a file or folder using the
instructions found there? (It does say "Add Users to or Remove Users from a
File or Folder" <- which to me implies it can be done either way.)

Admittedly, the "note" on that instruction set titled the above never
mentions folders, only files, but then should the title of that instruction
set be changed a bit? Or should we assume that if a user has rights to a
folder, they do not automatically have rights to the files placed in that
folder nor all the files that were in the folder initially? At which point
one has to wonder what was the point of giving the user rights on the folder
in the first place (or even encrypting the folder to begin with..)?

Now *I* am thoroughly confused. heh

 

[Drew Cooper [MSFT]]

In a nutshell, this is how it works:
Files can be encrypted. Folders can't really be "encrypted". They're
"marked for encryption", which means that new files created in them will be
encrypted and new subfolders will also be marked for encryption. Those new
files are encrypted by the user that creates them.

Users can be added/removed to/from files. We've never supported add/remove
on folders through the UI (because it's meaningless).

You're right - the kb is misleading. Well . . . actually it's kinda lying.
I'll file a bug and see if we can get that fixed.

 

[Torgeir Bakken (MVP)]

If Microsoft's EFS product can't do this, is there a product
that integrates with Microsoft's File Explorer so that I
can still right click on a folder, have the option to
encrypt it, and then designate the users that can access
it?? Being able to only share individual files makes no
sense to me at all. Any help with this matter would be
greatly appreciated.

SafeGuard PrivateDisk and/or SafeGuard LAN Crypt might help you out:

http://www.utimaco.com/indexmain.html

(we are using their "SafeGuard Easy" product for local hard disk encryption on
all laptops, and we are very satisfied with the product).

The BestCrypt product found at http://www.jetico.com/ also looks interesting.

 

[Shenan Stanley]

I am stumped and I hope that someone can help me. I have
a customer with a Windows XP Pro computer that has two
users. These two users have placed all of their shared
files in the "Shared Documents" folder.

They have very confidential information stored in this
folder and have tried to encrypt the folder using the
built in Encrypted File System software. It is very easy
to encrypt the folder, but only the user that encrypts it
has access to the files making it useless.

There are currently thousands of files in this shared
folder, and I am told by Microsoft that I have to click
on each indvidual file and add the second user's account
for shared access to these encrypted files. This is
absolutely absurd and impossible.

I need to find out if there is a patch or a workaround
that allows you to add more than one user to an encrypted
folder and thus give them access to all encrypted files
in that folder and all subfolders as well. If
Microsoft's EFS product can't do this, is there a product
that integrates with Microsoft's File Explorer so that I
can still right click on a folder, have the option to
encrypt it, and then designate the users that can access
it?? Being able to only share individual files makes no
sense to me at all. Any help with this matter would be
greatly appreciated.

As far as I understand it, you can only grant access to a specific
file - one at a time - as you have stated. I do not believe there
is a way to do a folder in Windows XP.

I do believe this was "remedied" in Windows 2003:
http://support.microsoft.com/?kbid=324897#22

(As you can see, If you have these files stored on a Windows 2003
server and shared among the two - you MAY be able to do what you
wish..)

The other Microsoftie was telling the truth - through the UI you
have to add users one file at a time. It would be possible to
write a tool that called the AddUsersToEncryptedFile API to
automate the process if you're a coder.

And it works the same way on Server 2003.

As far as 3rd-party file encryption goes, I can't recommend any but
maybe someone else (who isn't a Microsoft employee) on the newsgroup
can.

Wait.. Wait.. Wait..

You mean that you still have to do it file-by-file in Windows 2003
server as well. Doesn't the instructions found at :

http://support.microsoft.com/?kbid=324897#22

Specify that you can add a user (or remove) from a file or folder
using the instructions found there? (It does say "Add Users to or
Remove Users from a File or Folder" <- which to me implies it can be
done either way.)

Admittedly, the "note" on that instruction set titled the above never
mentions folders, only files, but then should the title of that
instruction set be changed a bit? Or should we assume that if a
user has rights to a folder, they do not automatically have rights
to the files placed in that folder nor all the files that were in
the folder initially? At which point one has to wonder what was the
point of giving the user rights on the folder in the first place (or
even encrypting the folder to begin with..)?

Now *I* am thoroughly confused. heh

In a nutshell, this is how it works:
Files can be encrypted. Folders can't really be "encrypted". They're
"marked for encryption", which means that new files created in them
will be encrypted and new subfolders will also be marked for
encryption. Those new files are encrypted by the user that creates
them.

Users can be added/removed to/from files. We've never supported
add/remove on folders through the UI (because it's meaningless).

You're right - the kb is misleading. Well . . . actually it's kinda
lying. I'll file a bug and see if we can get that fixed.

I actually do understand the functionality a lot better after your
explanation. =)

Thanks!