tw_chase
asked on
EFS (Encrypted File System) help!
I would like to automate the adding of user certificates to files once it is encrypted but I am struggling getting anywhere.
Here is the scenario:
I have a program that finds certain files and uses EFS to encrypt them. Most of these files are found on the network with multiple people having to be able to view/access them. Once the file is encrypted, it only adds the certificate of the person that encrypted the file. What I need is to be able to use a command line tool or some code to add the other users associated with this file. Can this be done? I have been looking at certutil and cipher command line tools and I don't see how to add users without going through the file properties in explorer. The program itself is a VB6 app if that helps. This is the last step of this project so any help would be appreciated.
PS - Is there a setting or something in the CA, Active Directory, etc that will automatically add the certificates of all individuals that have access to that file?
Thanks in advance
Here is the scenario:
I have a program that finds certain files and uses EFS to encrypt them. Most of these files are found on the network with multiple people having to be able to view/access them. Once the file is encrypted, it only adds the certificate of the person that encrypted the file. What I need is to be able to use a command line tool or some code to add the other users associated with this file. Can this be done? I have been looking at certutil and cipher command line tools and I don't see how to add users without going through the file properties in explorer. The program itself is a VB6 app if that helps. This is the last step of this project so any help would be appreciated.
PS - Is there a setting or something in the CA, Active Directory, etc that will automatically add the certificates of all individuals that have access to that file?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Because there is no method to issue a certificate for a group, only individual user accounts can be authorized for access to an encrypted file. Groups cannot be authorized for access.
I'm not sure if this matters, but there are 3rd party encryption tools that are easier to use and ultimately more secure. PGP, and TrueCrypt spring to mind.
Perhaps there is a way to automate adding users as recovery agents... I'm not sure that a recovery agent has the ability to encrypt, but they can decrypt...
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_lwqi.mspx
http://technet2.microsoft.com/WindowsServer/en/library/5ad01135-c289-4f64-8bf3-8c0de903a8b71033.mspx
http://support.microsoft.com/kb/887414
-rich
I'm not sure if this matters, but there are 3rd party encryption tools that are easier to use and ultimately more secure. PGP, and TrueCrypt spring to mind.
Perhaps there is a way to automate adding users as recovery agents... I'm not sure that a recovery agent has the ability to encrypt, but they can decrypt...
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_lwqi.mspx
http://technet2.microsoft.com/WindowsServer/en/library/5ad01135-c289-4f64-8bf3-8c0de903a8b71033.mspx
http://support.microsoft.com/kb/887414
-rich
ASKER