RE: WinXP Encryption Added users "Access denied"

From: Pat Hoffer [MSFT] (pathoff_at_online.microsoft.com)
Date: 07/06/05 

Date: Tue, 5 Jul 2005 16:32:02 -0700

The documentation applies to sharing encrypted files between users who log
onto the same computer--in other words, both users have profiles and EFS
certificates/keys on the same PC. If you want to enable the users to access
those local files from a second computer, you must configure the first
computer to be trusted for delegation and share out the files.

If you want to share files that have been encrypted on a remote server, you
will have more success by using roaming profiles for the users. Configure
the profiles to be roaming, log onto a domain PC as each user and
install/create an EFS certificate for the user (encrypt a file), and then
publish that certificate to the AD (so it can be added to files). When the
user encrypts a file on the remote server for the first time, the server will
use the certificate from the user's roaming profile. Be sure when you are
adding users' certificates to remote files on the server that you are adding
the certificates that are stored in their roaming profiles.

Hope that helps.
Pat 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Rilje" wrote:
> Hi,
> 
> I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and 
> exchange server running small business server 2003.  Trying to encrypt files 
> on server and allow access by multiple users on the network.  Using as my 
> guide the microsoft document:
> 
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx
> 
> PC1 user1,PC2 user2 both have r/w access to a shared drive on the server.
> 
> As user1(w/admin privileges), from PC1(NOT the server), I encrypt a file on 
> a shared drive residing on the server.
> 
> Then I get on PC2 as user2 and encrypt a test file on PC2 to generate a 
> certificate/key.  I then export the cert to a drive accessible by PC1.
> 
> On PC1, I import the cert, and stick it in the Trusted Root Certification 
> Store.
> 
> Next, on PC1, I do a right click-->properties-->advanced and go into the 
> Details tab and Add user2 from PC2.
> 
> Most of the time I can look at the properties of the encrypted file from 
> both computers/users and see the two users in there under details.*
> 
> From PC1,user1, I can see the file contents.
> From PC2,user2, I get access denied.
> 
> *I have noticed that sometimes when I try to look at the properties for the 
> encrypted file from PC1 or PC2, it takes a while, and sometimes clicking on 
> the advanced button takes a really long time (I kiiled the app from task mgr 
> after 10 minutes) AND causes other people on the network to have problems 
> accessing their outlook email.
> 
> Next, I went thru the same procedure with a file on PC1 which was in a 
> shared folder with r/w accessibilty for PC2/user2.  I saw the same behavior 
> as above except I can always get the properties and advanced/detail panels 
> to come up without delay or appreciable network impact, e.g.:
> 
> From PC1,user1, I can see the file contents.
> From PC2,user2, I get access denied.
> 
> In the first case, sharing a file on the server, I can see that there might 
> be some operating system conflict (Win2K as the server, WinXP as the client) 
> but in the second case, sharing a file on the Peer PC1, I'm unclued.
> 
> Has anyone else seen this behavior or does anyone see what I'm doing wrong? 
> Thanks. 
> 
> 
>