Previously EFS did not support adding multiple users to folders (circa server 2000/windows xp), however one of the changes in server 2008 was that EFS did now support this scenario. I have configured enterprise CA hierarchy in an AD, and this is working fine. My users are automatically enrolled for EFS purpose certificates when first creating encypted files on my file server share, and this works fine. On the Server 2008 file server hosting this network share, I can encrypt a folder, and the contents get encrypted, I can configure multiple users to have access to the files, but, I don't have the option to do this on either the root folder or any of the subfolders. The 'Details' button (next to Encrypt contents to secure data) is greyed out. cipher.exe says; E:\>cipher /C E:\Encrypted-Test\foldertest Listing E:\Encrypted-Test\ New files added to this directory will be encrypted. E foldertest Compatibility Level: Windows XP/Server 2003 Users who can decrypt: <etc>... I have seen some references to cipher.exe output which indicates Compatibility Level: Windows Vista/Server 2008 I think that's they key to my problem, but I don't see how to change it, or how to explicitly set this when creating an encrypted folder. Will upping the EFS compatibility level fix my issue? ... and how can I set the compatibility level on the folder? Thanks,

No, your problem relies on the other side. You can add additional users to file access only when you can decrypt the file. The folder may contain multiple encrypted files. You may have access to some of them, but do not have access to other files (they are encrypted by other users), or even unencrypted. Therefore, you can't add users on a folder level, because the operation in most cases fails. BTW, from file system perspective, you can't encrypt the folder. When you encrypt the folder, you just encrypt folder contents.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

No, your problem relies on the other side. You can add additional users to file access only when you can decrypt the file. The folder may contain multiple encrypted files. You may have access to some of them, but do not have access to other files (they are encrypted by other users), or even unencrypted. Therefore, you can't add users on a folder level, because the operation in most cases fails. BTW, from file system perspective, you can't encrypt the folder. When you encrypt the folder, you just encrypt folder contents.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

So I don't think that's what I'm getting at. My use case is I can create a file, and I can encrypt it, and then I can add the certificates for all the other users I want to open it onto the file. That works for one file but is not sustainable for 50. I simply want to have the data on disk encrypted, not so much restricting or permitting uer X Y or Z. Now in server 2003 you can only do this to a file, not a folder, but with server 2008 one of the improvements made to EFS was that it now supported folder encryption, so now I want to utilise this. IE: encrypt the folder, and add the certificates of the users to the folder? .. I suppose there is a secondary question of how the inheritance behaves after this has ben achieved, but I am trying to get over this first hurdle.

> one file but is not sustainable for 50 I've explained why it won't work. Because other files may be encrypted by other users and you may not have an access to all files. > encrypt the folder, and add the certificates of the users to the folder? you can encrypt the folder and it contents will be immediately encrypted. However, other users can place their own files. Folder encryption do not restrict other users to add their own files and this sort of restriction is achieved by using NTFS permissions.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> one file but is not sustainable for 50 I've explained why it won't work. Because other files may be encrypted by other users and you may not have an access to all files. > encrypt the folder, and add the certificates of the users to the folder? you can encrypt the folder and it contents will be immediately encrypted. However, other users can place their own files. Folder encryption do not restrict other users to add their own files and this sort of restriction is achieved by using NTFS permissions.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Yes ok, regardless of whether or not I can implement it, I can see the concept is flawed. I did want all domain users to be able to decrypt the files, and I would have controlled read/write etc via ntfs acl's, but this is not what EFS is designed to do, EFS is aimed at per-file encryption, not per datastore, and for per-datastore I would need to use bitlocker. Your comment: "from file system perspective, you can't encrypt the folder. When you encrypt the folder, you just encrypt folder contents" is the answer. From the windows documentation I had read, I thought that this functionality had been extended in server 2008, but it doesn't seem so.

(Thanks)

Yes ok, regardless of whether or not I can implement it, I can see the concept is flawed. I did want all domain users to be able to decrypt the files, and I would have controlled read/write etc via ntfs acl's, but this is not what EFS is designed to do, EFS is aimed at per-file encryption, not per datastore, and for per-datastore I would need to use bitlocker. Your comment: "from file system perspective, you can't encrypt the folder. When you encrypt the folder, you just encrypt folder contents" is the answer. From the windows documentation I had read, I thought that this functionality had been extended in server 2008, but it doesn't seem so.

(Thanks)

> EFS is aimed at per-file encryption, not per datastore, and for per-datastore I would need to use bitlocker exactly. > From the windows documentation I had read, I thought that this functionality had been extended in server 2008, but it doesn't seem so. no, because it depends on a file system structure. From file system perspective, folder is just an entry which contains offset indexes of all files in the folder.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> EFS is aimed at per-file encryption, not per datastore, and for per-datastore I would need to use bitlocker exactly. > From the windows documentation I had read, I thought that this functionality had been extended in server 2008, but it doesn't seem so. no, because it depends on a file system structure. From file system perspective, folder is just an entry which contains offset indexes of all files in the folder.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I have a similar problem. What I'm looking for is a way to encrypt a folder. Then grant access to this folder using NTFS and share permission with user names or security groups. This list of people will drop files into this folder that will automatically get encrypted. Only these people have access. Any change in personnel would be done by removing them from the permission on this folder. I have tried PGP Desktop but key encryption is a pain if we have turnover and would require a re-encryption of the entire folder. I even looked at EFS but that only works at the file level. As a user places a file in the folder, they have access but none of the others. You would need to script the add permissions option to this file. This folder could contain millions of files so I dont see scripting as feasible. You mention Server 2008 has the option to add permission at the folder level like you can at the file but I don't see the 'Detail' becoming un-grayed out when I test this on a 2008 server. If that was indeed fixed, I must be missing something.Ted