Re: Sharing Folders using EFS in XP Pro

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 01/21/04 

Date: Tue, 20 Jan 2004 17:56:02 -0800

In a nutshell, this is how it works:
Files can be encrypted. Folders can't really be "encrypted". They're
"marked for encryption", which means that new files created in them will be
encrypted and new subfolders will also be marked for encryption. Those new
files are encrypted by the user that creates them.

Users can be added/removed to/from files. We've never supported add/remove
on folders through the UI (because it's meaningless).

You're right - the kb is misleading. Well . . . actually it's kinda lying.
I'll file a bug and see if we can get that fixed. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Shenan Stanley" <news_helper@hushmail.com> wrote in message
news:%23lSr$s73DHA.360@TK2MSFTNGP12.phx.gbl...
> Douglas Pribyl wrote:
> > I am stumped and I hope that someone can help me.  I have
> > a customer with a Windows XP Pro computer that has two
> > users.  These two users have placed all of their shared
> > files in the "Shared Documents" folder.
> >
> > They have very confidential information stored in this
> > folder and have tried to encrypt the folder using the
> > built in Encrypted File System software.  It is very easy
> > to encrypt the folder, but only the user that encrypts it
> > has access to the files making it useless.
> >
> > There are currently thousands of files in this shared
> > folder, and I am told by Microsoft that I have to click
> > on each indvidual file and add the second user's account
> > for shared access to these encrypted files.  This is
> > absolutely absurd and impossible.
> >
> > I need to find out if there is a patch or a workaround
> > that allows you to add more than one user to an encrypted
> > folder and thus give them access to all encrypted files
> > in that folder and all subfolders as well.  If
> > Microsoft's EFS product can't do this, is there a product
> > that integrates with Microsoft's File Explorer so that I
> > can still right click on a folder, have the option to
> > encrypt it, and then designate the users that can access
> > it??  Being able to only share individual files makes no
> > sense to me at all.  Any help with this matter would be
> > greatly appreciated.
>
> Shenan Stanley wrote:
> > As far as I understand it, you can only grant access to a specific
> > file - one at a time - as you have stated.  I do not believe there
> > is a way to do a folder in Windows XP.
> >
> > I do believe this was "remedied" in Windows 2003:
> > http://support.microsoft.com/?kbid=324897#22
> >
> > (As you can see, If you have these files stored on a Windows 2003
> > server and shared among the two - you MAY be able to do what you
> > wish..)
>
> Drew Cooper [MSFT] wrote:
> > The other Microsoftie was telling the truth - through the UI you have
> > to add users one file at a time.  It would be possible to write a
> > tool that called the AddUsersToEncryptedFile API to automate the
> > process if you're a coder.
> >
> > And it works the same way on Server 2003.
> >
> > As far as 3rd-party file encryption goes, I can't recommend any but
> > maybe someone else (who isn't a Microsoft employee) on the newsgroup
> > can.
>
> Wait.. Wait.. Wait..
>
> You mean that you still have to do it file-by-file in Windows 2003 server
as
> well.  Doesn't the instructions found at :
>
> http://support.microsoft.com/?kbid=324897#22
>
> Specify that you can add a user (or remove) from a file or folder using
the
> instructions found there?  (It does say "Add Users to or Remove Users from
a
> File or Folder" <- which to me implies it can be done either way.)
>
> Admittedly, the "note" on that instruction set titled the above never
> mentions folders, only files, but then should the title of that
instruction
> set be changed a bit?  Or should we assume that if a user has rights to a
> folder, they do not automatically have rights to the files placed in that
> folder nor all the files that were in the folder initially?  At which
point
> one has to wonder what was the point of giving the user rights on the
folder
> in the first place (or even encrypting the folder to begin with..)?
>
> Now *I* am thoroughly confused. heh
>
> -- 
> <- Shenan ->
> -- 
>
>

Relevant Pages

  • Re: MS EFS Question
    ... Copying an Encrypted Folder or File ... Windows 2000 location to another NTFS partition in a Windows 2000 location. ... destination file system does not support encryption, the copy is in clear text. ...
    (Security-Basics)
  • Re: cannot access encrypted file, changing security ownership did
    ... Reading the remove encryption and backing up keys doesn't make sense ... How do I get these rotten keys and how do I use them if I should need them, ... I was worried that some hacker would get into my folder, ... norton security 2006 will not let me clean out my cookie ...
    (microsoft.public.windowsxp.security_admin)
  • Re: dual password for file/folder encryption
    ... Look into Policy based encryption products from Pointsec or Credant. ... storage devices (USB drives etc). ... into that folder is automatically encrypted. ...
    (Security-Basics)
  • Re: EFS corrupts files
    ... folder and the folder, where Outlook stores the .pstfiles, to be encrypted. ... encryption the files are stillcorrupt. ... If you need to recover the pst file, you can use Inbox Repair tool ...
    (microsoft.public.windows.vista.security)
  • Re: EFS...can it be given to a group or folder ..win2003
    ... When a file is created in a folder marked for encryption, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > multiple user (through windows domain group OR indinidual) ...
    (microsoft.public.windows.file_system)