Re: Permissions (seperate area?)

Hi Ross,

Thank you for your reply and I am sorry for the delay due to the weekend.

In answer to your questions:

Firstly we need a Certification Authority to issue EFS certificates. To do
this, we may install CA service on the SBS server.

The users can open MMC, add Certificates snap-in and then request the Basic
EFS certificate there.

Then we may grant access to the users who have the EFS certificates. (Right
click the file and click Properties. Click Advanced button and then click
Details button)

More information for your reference:

Protecting Data by Using EFS to Encrypt Hard Drives
http://www.microsoft.com/smallbusiness/support/articles/protect_data_EFS.msp
x

If you have any other questions, please let me know.

Best regards,

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: rossk <rkovelman@xxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Permissions (seperate area?)
| Date: Thu, 01 Nov 2007 09:58:25 -0700
| Organization: http://groups.google.com
| Lines: 142
| Message-ID: <1193936305.775558.111260@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1193775736.742685.83340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <1193780705.203532.301400@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <zJdNSQFHIHA.5204@xxxxxxxxxxxxxxxxxxxxxx>
| <1193923615.337006.3450@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 66.47.1.90
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| X-Trace: posting.google.com 1193936306 19053 127.0.0.1 (1 Nov 2007
16:58:26 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Thu, 1 Nov 2007 16:58:26 +0000 (UTC)
| In-Reply-To: <1193923615.337006.3450@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3,gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: z9g2000hsf.googlegroups.com; posting-host=66.47.1.90;
| posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!TK2MSFTFE
EDS02.phx.gbl!msrtrans!msrn-in!newshub.sdsu.edu!out02b.usenetserver.com!news
..usenetserver.com!in02.usenetserver.com!news.usenetserver.com!postnews.googl
e.com!z9g2000hsf.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:73142
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Ok I got that fixed, so the folder shows green with the attrib being
| E. Now how can I get them to take control of the folder and lock the
| admin out? And what is the point of doing this making it encrypted?
|
| ~Ross
|
| On Nov 1, 9:26 am, rossk <rkovel...@xxxxxxxxxxxxxxxx> wrote:
| > THANKS!
| >
| > I have an issue when I select the Encrypt contents to secure data
| >
| > "An error occured applying attributes to the file
| > F:/path
| > Recovery policy configured for this system contain invalid recovery
| > certificate"
| >
| > How would I fix this...ahhh
| >
| > ~Ross
| >
| > On Nov 1, 2:54 am, v-mzh...@xxxxxxxxxxxxxxxxxxxx (Manfred Zhuang
| >
| > [MSFT]) wrote:
| > > Hello Ross,
| >
| > > Thank you for posting here.
| >
| > > From your post, I understand that you would like to create a folder
for a
| > > group of users to store data. But in the time, you hope the admin
cannot
| > > access the data.
| >
| > > To do this, we may use Encrypting File System.
| >
| > > For detailed information, please refer to following articles:
| >
| > > Step-by-Step Guide to Using the Encrypting File
Systemhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno.
..
| > > directory/activedirectory/stepbystep/efs.mspx
| >
| > > Best practices for the Encrypting File
Systemhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
| >
| > > I hope the above information is useful to you.
| >
| > > If you have any concern, please feel free to let me know.
| >
| > > Best regards,
| >
| > > Manfred Zhuang(MSFT)
| > > Microsoft Online Newsgroup Support
| >
| > > Get Secure! -www.microsoft.com/security
| >
| > > =====================================================
| > > This newsgroup only focuses on SBS technical issues. If you have
issues
| > > regarding other Microsoft products, you'd better post in the
corresponding
| > > newsgroups so that they can be resolved in an efficient and timely
manner.
| > > You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > > When opening a new thread via the web interface, we recommend you
check the
| > > "Notify me of replies" box to receive e-mail notifications when there
are
| > > any updates in your thread. When responding to posts via your
newsreader,
| > > please "Reply to Group" so that others may learn and benefit from your
| > > issue.
| >
| > > Microsoft engineers can only focus on one issue per thread. Although
we
| > > provide other information for your reference, we recommend you post
| > > different incidents in different threads to keep the thread clean. In
doing
| > > so, it will ensure your issues are resolved in a timely manner.
| >
| > > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > > checkhttp://support.microsoft.comforregional support phone numbers.
| >
| > > Any input or comments in this thread are highly appreciated.
| > > =====================================================
| >
| > > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > > --------------------
| > > | From: rossk <rkovel...@xxxxxxxxxxxxxxxx>
| > > | Newsgroups: microsoft.public.windows.server.sbs
| > > | Subject: Re: Permissions (seperate area?)
| > > | Date: Tue, 30 Oct 2007 14:45:05 -0700
| > > | Organization:http://groups.google.com
| > > | Lines: 29
| > > | Message-ID: <1193780705.203532.301...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > > | References: <1193775736.742685.83...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > > | <#99#NPzGIHA....@xxxxxxxxxxxxxxxxxxxx>
| > > | NNTP-Posting-Host: 66.47.1.90
| > > | Mime-Version: 1.0
| > > | Content-Type: text/plain; charset="us-ascii"
| > > | X-Trace: posting.google.com 1193780705 30367 127.0.0.1 (30 Oct 2007
| > > 21:45:05 GMT)
| > > | X-Complaints-To: groups-ab...@xxxxxxxxxx
| > > | NNTP-Posting-Date: Tue, 30 Oct 2007 21:45:05 +0000 (UTC)
| > > | In-Reply-To: <#99#NPzGIHA....@xxxxxxxxxxxxxxxxxxxx>
| > > | User-Agent: G2/1.0
| > > | X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
| > > AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3,gzip(gfe),gzip(gfe)
| > > | Complaints-To: groups-ab...@xxxxxxxxxx
| > > | Injection-Info: 22g2000hsm.googlegroups.com;
posting-host=66.47.1.90;
| > > | posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
| > > | Path:
| > >
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!TK2MSFTF
E
| > >
EDS02.phx.gbl!newsfeed.cw.net!cw.net!news-FFM2.ecrc.de!news.glorb.com!postn
e
| > > ws.google.com!22g2000hsm.googlegroups.com!not-for-mail
| > > | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.sbs:72767
| > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > > |
| > > | How can I do this encryption thing you are talking about?
| > > | Thanks
| > > |
| > > | On Oct 30, 4:31 pm, "kj [SBS MVP]" <KevinJ....@xxxxxxxxxxxxxxxxxx>|
wrote:
| > > | > rossk wrote:
| >
| > > | > > Anyone know how I can do this?
| > > | >
| > > | > > I need to create a folder so a group of user can store data
there but
| > > | > > lock the sys admin out (myself) and encrypt the data?
Basically I
| > > | > > need an area that only this one guy can control and no one
else. He
| > > | > > needs to be able to control that area in whole (permissions etc)
| > > | >
| > > | > > If he does this I need to know I can still back that data up.
I know
| > > | > > in unix I can with root but not sure with windows.
| > > | >
| > > | > > Thanks!!
| > > | >
| > > | > You can't permanetly lock out the admins. You can encrypt the
data so
| > > that
| > > | > the admin can not examine or alter it. The admin should have had
an
| > > recovery
| > > | > certificate created which you need to take into account if you
really
| > > want
| > > | > to ensure this. While the user can control the data, he/she is
also
| > > | > responsible for it. You've not only the need to backup the
encrypted
| > > data,
| > > | > but also the certificates needed to encrypt and decrypt it.
| > > | >
| > > | > --
| > > | > /kj
| > > |
| > > |
| > > |
|
|
|

.