When you grant a user permission to access an encrypted file, the certificate store may contain more than one basic Encrypting File System (EFS) certificate for this user. This symptom occurs when you grant permissions in a Microsoft Windows Server 2003 Active Directory domain or a Microsoft Windows 2000 Server Active Directory domain.
This behavior occurs because the certificate store contains more than one basic EFS certificate that has been issued to the user by the enterprise certification authority (CA). This situation occurs because every time the user logs on to a computer that is not the user’s regular computer, a request for a basic EFS certificate is generated. The enterprise CA then issues a new basic EFS certificate to the user. The request for a basic EFS certificate occurs when the user logs on to a computer in a Windows Server 2003 Active Directory domain or a Windows 2000 Server Active Directory domain. The user can access an encrypted file from a computer that is not the user’s regular computer if the user’s EFS certificate is installed in that computer.
If the user’s basic EFS certificate is not present when the user tries to open an encrypted file, a request for a basic EFS certificate is generated. The computer that the user logs on to stores the basic certificate in the personal certificate store of the user. The enterprise CA issues a basic EFS certificate even if a basic EFS certificate is already issued to the user. The certificate may be available in the user’s regular computer but not in the computer the user has logged on to.
Note Users, computers and services can automatically request EFS certificates without user intervention. This ability depends on the public key policies in the domain.
To work around this behavior, switch the user profile of the user who you want to grant permissions from a local profile to a roaming profile.
Windows Server 2003 and Windows 2000 Server support roaming user profiles that make it possible for certificates to follow users. Therefore, the certificates are available on any computer they log on to. If roaming user profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the local computer when the user logs on.
To obtain a copy of the Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services book, visit the following Microsoft Web site: