Sharing Folders using EFS in XP Pro
Douglas Pribyl
a customer with a Windows XP Pro computer that has two
users. These two users have placed all of their shared
files in the "Shared Documents" folder.
They have very confidential information stored in this
folder and have tried to encrypt the folder using the
built in Encrypted File System software. It is very easy
to encrypt the folder, but only the user that encrypts it
has access to the files making it useless.
There are currently thousands of files in this shared
folder, and I am told by Microsoft that I have to click
on each indvidual file and add the second user's account
for shared access to these encrypted files. This is
absolutely absurd and impossible.
I need to find out if there is a patch or a workaround
that allows you to add more than one user to an encrypted
folder and thus give them access to all encrypted files
in that folder and all subfolders as well. If
Microsoft's EFS product can't do this, is there a product
that integrates with Microsoft's File Explorer so that I
can still right click on a folder, have the option to
encrypt it, and then designate the users that can access
it?? Being able to only share individual files makes no
sense to me at all. Any help with this matter would be
greatly appreciated.
Shenan Stanley
As far as I understand it, you can only grant access to a specific file -
one at a time - as you have stated. I do not believe there is a way to do a
folder in Windows XP.
I do believe this was "remedied" in Windows 2003:
http://support.microsoft.com/?kbid=324897#22
(As you can see, If you have these files stored on a Windows 2003 server and
shared among the two - you MAY be able to do what you wish..)
--
<- Shenan ->
--
![Drew Cooper [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Drew Cooper [MSFT]
users one file at a time. It would be possible to write a tool that called
the AddUsersToEncryptedFile API to automate the process if you're a coder.
And it works the same way on Server 2003.
As far as 3rd-party file encryption goes, I can't recommend any but maybe
someone else (who isn't a Microsoft employee) on the newsgroup can.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Shenan Stanley" <news_...@hushmail.com> wrote in message
news:%23PUvabx...@TK2MSFTNGP12.phx.gbl...
Shenan Stanley
Shenan Stanley wrote:
> As far as I understand it, you can only grant access to a specific
> file - one at a time - as you have stated. I do not believe there
> is a way to do a folder in Windows XP.
>
> I do believe this was "remedied" in Windows 2003:
> http://support.microsoft.com/?kbid=324897#22
>
> (As you can see, If you have these files stored on a Windows 2003
> server and shared among the two - you MAY be able to do what you
> wish..)
Drew Cooper [MSFT] wrote:
> The other Microsoftie was telling the truth - through the UI you have
> to add users one file at a time. It would be possible to write a
> tool that called the AddUsersToEncryptedFile API to automate the
> process if you're a coder.
>
> And it works the same way on Server 2003.
>
> As far as 3rd-party file encryption goes, I can't recommend any but
> maybe someone else (who isn't a Microsoft employee) on the newsgroup
> can.
Wait.. Wait.. Wait..
You mean that you still have to do it file-by-file in Windows 2003 server as
well. Doesn't the instructions found at :
http://support.microsoft.com/?kbid=324897#22
Specify that you can add a user (or remove) from a file or folder using the
instructions found there? (It does say "Add Users to or Remove Users from a
File or Folder" <- which to me implies it can be done either way.)
Admittedly, the "note" on that instruction set titled the above never
mentions folders, only files, but then should the title of that instruction
set be changed a bit? Or should we assume that if a user has rights to a
folder, they do not automatically have rights to the files placed in that
folder nor all the files that were in the folder initially? At which point
one has to wonder what was the point of giving the user rights on the folder
in the first place (or even encrypting the folder to begin with..)?
Now *I* am thoroughly confused. heh
Drew Cooper [MSFT]
Files can be encrypted. Folders can't really be "encrypted". They're
"marked for encryption", which means that new files created in them will be
encrypted and new subfolders will also be marked for encryption. Those new
files are encrypted by the user that creates them.
Users can be added/removed to/from files. We've never supported add/remove
on folders through the UI (because it's meaningless).
You're right - the kb is misleading. Well . . . actually it's kinda lying.
I'll file a bug and see if we can get that fixed.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Shenan Stanley" <news_...@hushmail.com> wrote in message
news:%23lSr$s73DH...@TK2MSFTNGP12.phx.gbl...
Torgeir Bakken (MVP)
> If Microsoft's EFS product can't do this, is there a product
> that integrates with Microsoft's File Explorer so that I
> can still right click on a folder, have the option to
> encrypt it, and then designate the users that can access
> it?? Being able to only share individual files makes no
> sense to me at all. Any help with this matter would be
> greatly appreciated.
SafeGuard PrivateDisk and/or SafeGuard LAN Crypt might help you out:
http://www.utimaco.com/indexmain.html
(we are using their "SafeGuard Easy" product for local hard disk encryption on
all laptops, and we are very satisfied with the product).
The BestCrypt product found at http://www.jetico.com/ also looks interesting.
--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter
Shenan Stanley
Shenan Stanley wrote:
> Wait.. Wait.. Wait..
>
> You mean that you still have to do it file-by-file in Windows 2003
> server as well. Doesn't the instructions found at :
>
> http://support.microsoft.com/?kbid=324897#22
>
> Specify that you can add a user (or remove) from a file or folder
> using the instructions found there? (It does say "Add Users to or
> Remove Users from a File or Folder" <- which to me implies it can be
> done either way.)
>
> Admittedly, the "note" on that instruction set titled the above never
> mentions folders, only files, but then should the title of that
> instruction set be changed a bit? Or should we assume that if a
> user has rights to a folder, they do not automatically have rights
> to the files placed in that folder nor all the files that were in
> the folder initially? At which point one has to wonder what was the
> point of giving the user rights on the folder in the first place (or
> even encrypting the folder to begin with..)?
>
> Now *I* am thoroughly confused. heh
Drew Cooper [MSFT] wrote:
> In a nutshell, this is how it works:
> Files can be encrypted. Folders can't really be "encrypted". They're
> "marked for encryption", which means that new files created in them
> will be encrypted and new subfolders will also be marked for
> encryption. Those new files are encrypted by the user that creates
> them.
>
> Users can be added/removed to/from files. We've never supported
> add/remove on folders through the UI (because it's meaningless).
>
> You're right - the kb is misleading. Well . . . actually it's kinda
> lying. I'll file a bug and see if we can get that fixed.
I actually do understand the functionality a lot better after your
explanation. =)
Thanks!