Getting started with a basic EFS setup is as easy as a few mouse clicks for a simple configuration. For these steps, I will assume that you’re using roaming profiles to avoid the certificate confusion. From the client, browse to the file that you would like to encrypt. Right-click it and choose Properties from the shortcut menu. On the General tab, click Advanced. The Advanced Attributes window will appear.

From the Advanced Attributes window, select the box marked Encrypt Contents To Secure Data, and click OK. When you are done, the file name will appear in green, which indicates that it has been encrypted.

To see who has access to an encrypted file, you can view the file’s encryption details by right-clicking it, choosing Properties, clicking the Advanced tab, and clicking Details on the Advanced Options window.

EFS creates a Data Recovery Agent (DRA) automatically so that this step is not skipped, which would result in inaccessible files. To change the user whose certificate is used by default, you need to change the EFS group policy by going to Active Directory Users And Computers | Domain Properties | Group Policy | Edit | Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System.

The easiest way to make sure that an encrypted file is inaccessible to other users is by trying to access it. For proper testing, make sure that another user has the share and NTFS permissions necessary to access the file. When the user logs in and tries to access the encrypted file, they will get an error message stating that access is denied.