If this is not the correct forum for this question, please let me know. I'm a bit confused by EFS. I recently set up a VM lab with 3 systems. 1st - "TESTDC1" a DC (Windows 2008R2), 2nd - "TESTCA1" an Enterprise CA (Windows 2008R2), 3rd - "TESTWK" a workstation (Windows XP SP3). 3 users set up in AD: User1 and User2, and EFSRA. Both have Basic EFS certs issued. Both certs show up within the user object in AD Users and Computers. The EFSRA user has a recovery certifcate. A file share is set up on the Enterprise CA. The Enterprice CA, TESTCA1 where the file share is located, is set up for Kerberos delegation in AD (AD Users and computers, computer object properties, delegation tab, "trust this computer for delegation of any service (kerberos only)" enabled. A group policy preferece is set up, maps first available drive to the share on TESTCA1. Login as User1, create a file. Enable encryption on the file. Right click, choose properties, advanced, details, select User2. Login as user2, open the file, "access denied" error. I've tried adding the certs for user1 and user2 both in Trusted People for the computer account on TESTCA1 (where the file share is) and I've tried adding both certs to the computer account on the workstation as well as each user's Trusted People store. So far, no luck. The recovery agent user can successfully open the file. But, I am unable to share the test files between user1 and user2 and vice versa. I've used the following links to try and set up this test lab: http://technet.microsoft.com/en-us/library/bb457065.aspx http://technet.microsoft.com/en-us/library/cc962122.aspx http://technet.microsoft.com/en-us/library/bb457116.aspx http://technet.microsoft.com/en-us/library/cc700811.aspx I've also tried to share a file locally on the Windows XP workstation. I created a test directory at the root of C. Made sure the EFS certs for both users were in the Trusted People store for both users. Still unable to share the encrypted file. Perhaps I'm missing the obvious or I'm over-complicating this, I'm not sure.

EFS is for local file encryption, not for remote file encryption as you are trying. The only way to get it working the way you want is to use WebDAV rather than SMB/CIFS when you connect to the network share. WebDAV performs local encrytion/decryption and can use the local certificates. You also want to consider using Credential Roaming Services so that the certificates of a user are available at any workstation that they log onto. Brian