Where is the private key stored for EFS in active directory? I'm guessing it's stored in AD because I can login to one machine as UserA, encrypt a file on a network share, then login as UserA on a different machine and read the file. Also, how do you keep it from being stored in AD? When creating the template I unchecked the box that says "Publish certificate in Active Directory". So, I don't see anything in the userCertificate attribute of the user but where is the private key?

By default private keys are never stored in AD. The only way to store them in AD is to implement Credential Roaming Service. In your case when you encrypt a file on a network share your user profile is loaded on remote machine and a file is encrypted there (no local resources and certificates are used). Remote server must be trusted for delegation (if a remote computer is domain controller, it is trusted for delegation by default).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

I can't believe I didn't notice the profile on the remote machine (which is a DC). Thanks Vadims.