Hi, I've got a problem that I would love to get some help with please? Setup Summary = Windows 2003 Domain and Forest funtion level, Windows 2008 DC's with one 2003 DC, Windows 2008 File server and a Windows 2008 Enterprise Root CA on Windows Standard. I have a file in a share on the file server I would like to encrypt with EFS so that two users can seamlessly access the file. Here is what I have done so far.. 1) Deploy new Windows 2008 Enterprise Root CA. 2) Configure two key recovery agents in AD group policy. 3) Use the Certificate services web site to enroll two test accounts for user certificates using two Windows 7 laptops (user 1 on laptop 1 and user 2 on laptop 2) 4) Open the certificates MMC add in for each user and check thier certificates are ok. Check AD to ensure the new certificates are listed on the 'Published Certificates' tab for each of them. 5) Logged in as user 1 on laptop one, created a file in the network share, then encypted it with EFS and added user 2 to the file as a user that should have seamless access. This all worked seamlessly with no reported errors. 6) Logged into laptop 2 as user 2 and I try to access the file in the network share. I recieved an access denied message? 7) As user two on laptop 2 checked the encrypted file and user 1 and 2 are both losted there. I cannot see any certificate errors nor what is wrong.. oh yup and I checked the NTFS permissions.. any ideas? Thanks, Mark

You need a better understanding of how EFS works. The certificates used for encrypting/decrypting the EFS files are located *on the server* not on the client. To be honest with you, EFS is not really a good in a file-sharing scenario. To work the way you want it to, you must have the users connect using WebDAV rather than through SMBs. Please see the following whitepaper (it is old, but nothing has changed for your scenario) http://technet.microsoft.com/en-us/library/cc700811.aspx Brian

Thank you for the link to the document and the reply. I have had a read and there is nothign there that says that this wont work or that indicates that we should have done anythign differetn to make this work. Just to clarify, EFS works fin for the individual users. It only runs into problems when one user adds anotehr user to a file they have already encrypted. The extra user cannot access the file even though I cannot find anything wrong anywhere? Thank you, Mark

Please read the *entire* whitepaper. Focus on the network section comparing WebDAV and SMB Brian

Here is another link for you http://bit.ly/QeD0Ja Brian

Yes, thank you. I have read a lot of this whitepaper already but I have re-read the "Remote Storage of Encrypted Files Using SMB File Shares and WebDAV" section and there is nothing I can see in there that says this wont work or that we have done something incorrectly? I may not have said, but we have ensured that delegation is properly set up on the accounts/computers. It works perfectly if just a single users wants to encrypt\access a file, but not if you try adding a second user. The second user cannot access the file but the first user still can, even though the second user has been added properly added to the file. If there is something specific you are refering to in the white paper then I would be gratefull if you could point it out? Thank you, Mark

Here is another link for you http://bit.ly/QeD0Ja Brian Ok, serioulsy now.. If you are not actually going to try to help peole out and are instead just going to post a link to pages and pages of guidence in the hope that it contains the anwser to someones problem, (Im guessing just to try and get yourself more votes) then please dont bother posting any more. If you have something specific to sugest that may help them please do.. if not then hopefully someone else will be able to help me out. Thank you, Mark

Sorry. The answer was in my first post. You must use WebDav to support the scenario you are trying to use. I am not here to provide free consulting (which is what you appear to want) I will make sure never to answer any of your questions again so that I do not bruise your ego Brian