Encripted file in domain...but why every one can access it?

This morning boss asked me to make his files and folders secure or some how authorized whenever anyone tries to access them. So far i have come up with two options
One, compress it and add a password to the compressed folder. The probem with it is, whenever i add a new file in the compressed folder with password already set, it does not set password for just added file. So anyone can access the file even if it is in compressed folder with password set. In order to have a password on just added file as well, i have to remove pasword and add again for all compressed folder. This can be time consuming if in compressed folder are a lot of files. Is there a way to make it automaticly set the password for just added file or just for file?...i could not find a way to do it

Second option would be encription. After spending hours to finaly be able to encript file on network drive(system attribute have been set to files on network which did not allowed encription), it allows to access anyone. The file finaly is green, but access is available for any user in domain. How come? Also when i try to add another user (properties-Advanced Attributes)to access the encripted file it gives me following error: "NO apporopriate certificates correspond to the selected user". What is cousing it?

Besides that, does anyone has better ideas on how to make the file or folder on LAN secure or accessable only by one person excluding Administrator of domain?

P.S. We are runing 2000 server and client PC is XP pro.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:

as you have compression and encryption - Ill take a leap of faith and say we are dealing with an NTFS drive? if so right click the folder > properties >and on the security tab remove everyone then add in your user - that way only they can open the folder
right Pete, permissions govern access
the least common denominator governs access, if a domain group has access, the file is decrypted
you can also explicitly exclude the administrator (you really ought to rename that account)
you can also equip your user with PGP so that only (s)he can control access to a file or folder

margotskAuthor Commented:

Thank's for getting back,
Yes, we have NTFS drive....sorry forgetting to mention.
PeteLong, That's a way, but we are looking to restrict administrator in accessing files as much as possible as well. So, if administrator assigns any other user to folder, user will still not get access to file, because it is encripted. The same thing would happen if Adminnistrator add himself. Ofcourse, Administrator could reset password and log in as the user who encripted files, but in that case user will notice that at first time he wants to log in, because his pasword have been changed. So, that's why we are looking for encription and password setup and not premission access.

Chicagoan, what is PGP?

Today for some reasan enscripted file is not accessable by any other user except the one encrypted, but still generates error when trying to add another user to share the encrypted file. I am able to find the user in domain, but after selecting user to add, it returns error:"NO apporopriate certificates correspond to the selected user". Its different than yesterday. Yesterday, i get the same messege before searching for other users in domain to add. From time in yesterday till time today, the server have been restarted and the users accounts on which i do experiment. So, i guess somewhere along these changes ecryption took full effect.

So, i gues now my question is: why it does not allow to add another user to share encrypted file?

ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Pete LongTechnical ConsultantCommented:
>>That's a way, but we are looking to restrict administrator in accessing

simply set Administrator to DENY - deny over-rides all settingss :)

just remove the everyone group and domain useers groups (dont DENY them causae your user will be in these groups)
margotskAuthor Commented:
Thank's PeteLong for responding,
PeteLong,I am not sure how to set Administrator to DENY. Would you please guid me through by listing steps or referencing to some tutorial. It is not under folder properties, is it?
Pete LongTechnical ConsultantCommented:
you can set deny on a folder of file - I suggest putting it on a folder with the file(s) in it

is it on a 2k server or a 2k3 server, the process is more or less identical but I'll get it spot on if you tell me
margotskAuthor Commented:
it's 2K server and XP as client.
Looking to hear from.
Pete LongTechnical ConsultantCommented:
on the server

Right-click the folder or drive you intend to share. In Windows 2000, select Sharing... .

Select Share this folder.

In the appropriate fields, type the name of the share (as it appears to other computers), the maximum number of simultaneous users, and any comments that should appear beside it.

Click the Permissions button  - you need to remove inheritable permissions either on this page (or press the advanced button - and untick the "allow inheritable permissions...." box, if it prompts you to confirm select the COPY option

now set administrators to deny (tick all the boxes)
click add and addin the user concerned and give them "full controll"
and remove all the other groups it has listed there

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
margotskAuthor Commented:
Thank's PeteLong,
You got the points
Pete LongTechnical ConsultantCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.