Hi All, (Warning Newbie--been in game for less then 4 months) Issues: Multiple certifications being issued to users when attempting to encrypt/decrypt, and the inability to allow other users be added to the access list. (Also when looking at regedit, under Windows NT I don't have any certs. Not sure if this is part of the problem) What I am looking for is give a couple of users access to a file share on our servers to confidential data which I need encrypted. I will start from the top. I have installed an Enterprise Root on a Windows 2008 R2 Enterprise edition virtual machine using Vmware. The file share is on a Windows 2003 R2. I decided to go with a single tier architecture because we only have about 60 machines so I didn't design a CAPolicy.inf or build a post file. I went with all the standard setting when adding the CA role. While attempting to add the EFS template to be auto-enrolled it said I needed a EFS Recovery agent so I made my enterprise admin the EFS RA. This allowed for me to deploy a variant of the EFS which I scoped for my organization (Included a screen shot). I built it from active directory and kept everything the same except for the time length of issuing/renewal (5yrs,6months), required prompt during enrollment (Which I am planning on taking away once I figure out everything), and checked "do not automatically enroll if a duplicate certificate exists in AD". I thought this fixed my multiple cert issuing problem but it didn't as I found out this morning. I am able to issue certifications and encrypt files ( I was also forced around that time to create a Key Recovery Agent--assigned that to the Enterprise Admin as well. I needed to be able to archive for EFS I guess) Once I encrypt on the file share, I attempt to decrypt the file but can't add additional users to the "Users who can access this file" (The ok button is grayed out). I am able to search and find other users certifications but can't click ok even though I was the initial creator and encryptor. It will allow me to view the cert and install under my user profile but nothing more and I dont think this would be useful. (the Recovery Agents certification is there though) In group policy I have it set to enable roaming and auto enrollment in users.(Screen shot included) I also have done the same in computers and left the other setting standard. I have been working on this for a couple of weeks so am kinda turned about with what I have checked and unchecked in my testing. I provided some screen shots to be more helpful. This is my first post here and I am pretty new to admin world so if I didn't write this up correctly let me know and sorry. Thanks!

Hi, Thanks for posting in Microsoft TechNet forums. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin

Hi, Please refer to following thread and let me know if your problem match that described in the thread. http://social.technet.microsoft.com/Forums/en-us/itprovistasecurity/thread/ce641f0a-16ed-4dc6-988c-4f7ca4ea9cceBest regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

That sounds exactly like half of my problem. Although the system is different (I am on 2008R2 and Win 7) I am definitely going to give it a try. Thanks. The only issue is because the account is being issued a certification every time. I am wondering which one I should use or should I copy all of them. I have been looking for this for a month. Finally some insight!

It also doesn't go into which certification should be place in "Other People". I would assume that this the cert that I would have in my personal store than I copy it down to other people? Or is a totally different certification.

hi, we should copy it down to other people for a test first. This is the only information i found for this issue. So please let me know once you have any updates. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

hi, we should copy it down to other people for a test first. This is the only information i found for this issue. So please let me know once you have any updates. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Ok, I have a lot of stuff going on but will definitely try this out and let everyone know. I am surprised this isn't a more common issue.