I’ve got a EFS encryption setup that doesn’t work like I thought it would work. We wan’t a setup with a manager who is able to read all files that his employees encrypt. DC01 = Certificate authority WS01 = Workstation client 1 WS02 = Workstation client 2 Adminefs = Domain Admin account configured as EFS recovery agent Manager = Domain user account configured as EFS recovery agent User01 = Domain User account Adminefs EFS recovery agent certificate is requested during the creation of the Group Policy. Manager EFS recovery agent certificate is requested with certmgr on WS01. (Before I’ve created a EFS recovery agent template with AD integration) After this creation I managed to add the manager EFS recovery agent certificate to the Group policy. If I create a encrypted file with user01 logged onto WS02 onto a fileshare on DC01. Only Adminefs & user01 can open this file. Manager account can’t open this file using WS01. The manager can see the encryption information, buth can’t open or decrypt the file. Users who can access this file: User01 Recovery certificates for this file as defined by recovery policy: Adminefs Manager

HI Do you activate the credential roaming ? it's look like when you logon with the manager account on the WS01 you don't have your EFS recovery certificate private key look on the manager personal store on WS01 if you see your EFS recovery certificate with the Private key Stef71

HI Do you activate the credential roaming ? it's look like when you logon with the manager account on the WS01 you don't have your EFS recovery certificate private key look on the manager personal store on WS01 if you see your EFS recovery certificate with the Private key Stef71

I'v solved it. There where old certificates attached to his AD account. The certificate enrollment just adds extra certificates to the user account. I tought it would update those certificates and mark the newest as default. I've deleted the old certificates and everything works perfect. D.