Unable to add users to encrypted file on fileserver share from Vista

[azarro]

Hi all,

I have the following setup:

Active Directory domain

Windows 2003 R2 Enterprise CA

Windows 2003 R2 fileserver with EFS share with correct share and NTFS permissions

Windows Vista Business SP2 workstations

EFS certificates are being issued to a group of users from the CA based on security groups, so they can access the files in EFS share on fileserver. This works fine, however one of these users needs to be able to add more users (user's EFS certificate) to particular files in the encrypted share.. This is not possible because in Vista, eventhough the user can access and modify the encrypted file, when the user opens properties of the file and select Advanced > Details > clicks Add button and finds a users certificate using Active Directory, he is not able to add the user because the OK button is greyed out..

Can anybody help me? Did I miss something? When I try the same from Windows XP I can add user without problem..

Thanks,

Azarro

Edited September 18, 2009 by azarro

[azarro]

Ok, I've found a reason of this and solution..

After comparing user profiles and certifictes I've noticed that one of them had in the certificate store Other people a certificate and the other users did not. When I logged on this particular user's account I've found out that this user can add another EFS certificates to the encrypted file.. So I've imported an EFS certificate to the Other People certificate store of my problem user and voilá.. The OK button is greyed out no more. :-)

I'm a bit confused right now.. Is this a bug, or a feature?

Thanks.

Michal