Endpoint Encryption

Good day to you all!

I was trying to 'lock down' the Admins for an encrypted folder by having a Group as the only listed entry.

So I have removed all users and made the AD group as the Admin, but have now realized that I can't add or remove users, re-encrypt folder etc.

Is there anyway to add a user now that only the group has access (I am a member of the group)?

Or am I going to have to start again? (copy the files to a non-encrypted folder etc)

Any help would be appreciated.

Cardona78, are you using Symantec Endpoint Encryption Removal Storage, could you let me know the version. The issue seems a little less informative, could you ellobarte a little bit more on whats acutally happening.

M_Marcos

It sounds like you may have set the Admin to a key that doesn't include the private key.  The Admin account for a FileShare must have the private portion of the keypair in the share, as it is used to verify and sign other keys that are added, effectively requiring it for permissions to function appropriately.  If the admin key does not include the private key, you will be unable to add or remove users, or re-encrypt the folder, though users with access should still be able to access the files.

If that is the case, you should set up a new share with the entire Admin keypair in the share, and move the data to the new folder.

Thank-you both for your replies, and sorry for the confusion...I think Mike is understanding the situation, but I'll try to explain in more detail

I'm using Symantec Ecryption Server (v. 3.3.2 MP6) and Encryption Desktop (v 10.3.2 MP6).

I've setup a group on the management server and membership is based on a LDAP (AD) query.

I've created a policy which enforces encryption of a specific directory.

The first user of the folder, when they logged on for the first time, the client Symantec Desktop, prompted for passphrase etc to register with the server, once they had jumped through all those hoops and downloaded the policy, and accessed the encrypted folder it initially encrypted it with the user's private key and not the groups...

So I, as the sys admin, remoted in with the user, and was able to manually add the groups key and reencrypt the folder. At this time, I also thought it would be a good idea to remove the user's private key and just have the group listed as the 'Admin' because all the users were in this group, so there really wouldn't be a need for an Admin to add/remove users.

Now I'm not 100% sure what happened, but when the second user went to access the folder they could access it but half of the sub folders were still encrypted with the first user's private key only (the group key wasn't listed), So I tried to re-encrypt but it wouldn't allow me to as only the Group was listed.

I remoted in with the first user and manually added the Group to each sub-folder (this did propagate to each sub-sub-folder), but it had to be at the sub-folder level, as the top level folder only has the Group private key and even though both users are members of this group, they can not add/remove users or re-encrypt the data (as mentioned by Mike)

I ended up copying the contents to a CD, which decrypted it.

Then copied it back to a new folder on the file server.

Changed the policy on the Management Server to encrypt the new folder.

Left the user as an admin and added the group account.

All users in the group account can access the encrypted files and folders.

Thank-you for your help.