I've got SBS 2011 Standard and Windows 7 Professional x64 clients.
I would like to encrypt a particular file on a domain user's local system. When I initially tried to enable encryption on this file, I got the “Recovery policy configured for this system contains invalid recovery certificate” error, which I addressed by creating a new domain-based recovery key as described here.
So far so good.
After creating the key and and updating GP on the client, I was able to enable encryption for this particular file without any errors. (I chose to only encrypt the file, not the folder that contains the file, because the file needs to reside in a program folder and I don't want to risk breaking the software by encrypting the entire folder.)
Anyway, after confirming the file is encrypted (box is checked under properties, shows up blue in Explorer, etc.) and verifying that this specific domain user was the only one shown with rights to decrypt the file (it's a TIFF, if that matters), I e-mailed the file to a few other domain users to see if they could open it. (Naturally, I used a test file, not one with sensitive data.)
Wouldn't you know it, every single one of them was able to open the file without any problems.
What am I missing? I thought the entire point of EFS was that encrypted files could only be read by authorized users, so why is it as if I never encrypted the file in the first place?.
Any insight would be greatly appreciated.
Joe