We would like to setup encryption (using Windows EFS) for a group of users. So what we'll do is have one folder which will hold all the encrypted files. Now, I know I can set encrypted (to reflect the files) on the folder level (Windows XP) and I know I can add other users to the encrypted files. The question is, is there a way to automate it so that when UserA creates a new file in that folder, it should automatically allow all those other Users access to that file, without the creator (or recovery agent) having to manually add all the certificates to that new (UserA) file to give access for all those other users?If is not possible with Windows encryption then can anyone recommend a good 3rd party program that will take care of this.Thanks.

no, by design it is not possible. To automate this task you may use cipher.exe utility (placing script in task scheduler), however this will not fully automated but is single what I know.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Thanks, thats what i thought.Im sure this is a very common scenario. can anyone share some ideas with me? 3rd Party?

I don't sure if this 3rd party software exist, due security reasons.May be you know, how it works. User1 encrypt file FileA and want to share this file with User2. When User1 encrypt this file encryptionsymmetric key is encrypted by User1 public key. This key may be decrypted by User1 private key only. If you have configured EFS recovery agents - this encryption key is automatically encrypted with each EFS recovery agentpublic key. This process occur when file encryption ends. If User1 want to share this file with User2, then User1 take his private key, decrypts encrypting symmetric key material. After this, User1 take User2 public key end encrypt symmetric key with User2 public key. As you see, you must have access to User1 private key, which in other handis encrypted by User1 password.Therefore, any another implementations (such grant access to file to other users without asking User1 for this task) by design will not safe and secure. As I have mentioned, here is only one way - use cipher.exe utility in batch and run it in User1 context.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi there,Thanks for the info. Yes,I was aware of the process of how it works with EFS but i thought maybe perhaps there is a 3rd party out there that simplifies the process when many users need to share encrypted files.Can you give me an example of the cipher syntax for the purpose of adding users to an encrypted file? So the cipher commend would add all those other users when runin the context of the user who encrypted the file and/or the recovery agent?Thank you for all your help!

Also, I have a quick question.When a user encryps a file on a mapped drive (file server), where is the certificate (private key) stored? Is it kept locally or somewhere within the domain?

If the drive mapping is using NetBIOS, then the server must be trusted for delegation, and the certificate is both generated and stored on the remote server. If the drive mapping uses WebDAV, then the certificate is stored locally at the client computer in the user's profileBrian

NetBIOS. Basically a Windows 2003 file server joined to an AD domain (or the DC itself acting as a file server), using drive mapping from an XP/Vista workstation joined to the same domain. Where is the Certificate kept (so I can backup the private keys)? Assuming both scenarios.there is and/or isnt a CA in that domain?

As I stated in my first reply, the certificate is stored on the remote server in this case.To allow remote EFS encryption, the server must be trusted for delegation (to allow it to impersonate the user)The server generates a profile for the user on the remote server, and the EFS private keys are stored on that server.The certificate is either a self-signed certificate (if no PKI is created), or a Basic EFS certificate (with no key archival enabled).It is not a very good scenario, unless you move to using WebDAVBrian

PGP Corporation has a a product "PGP NetShare" that addresses your requirements specifically. I have deployed it, with PGP Universal Server for key management, licensing and centralized user policy. It works great. https://www.pgp.com/products/netshare/index.html