To manage PGP File Share encrypted folders effectively, you need two groups of users:

1. Administrators - these users set the File Share access control lists on the shared folders using group keys and carry out the initial encryption.
2. Users - these users create and modify files in the encrypted folders but cannot change the access control list for the shared folders.

Here is how to proceed:

1. Create a group on the PGP Server for the Administrators. In this example, this group is called File Share Admin. Add members to the group either manually or by matching users who are in a specific Active Directory security group.
2. Create a group key for the group by clicking on the group name, then on the Group Settings button and then click on the Generate button in the Group Keys section:
   
   
   
3. Create a policy for these admins that has File Share Encryption enabled and allows the users to create File Share folders and use Advanced User Mode:
   
   
   
4. Link the File Share Admin group to the policy.
   
   
5. Create a group for users who will not manage File Share folders but just use them. In this example, the group name is File Share User but this can be an existing group. Create a policy for the group or edit the group's existing policy. The policy will need to have File Share enabled but ensure that it does not include permission to create File Share Encryption folders:
   
   
   
6. Create a group key for the File Share User group.
   
   
7. Navigate to Consumers / Groups and click on the Policy Group Order button at the bottom of the page. Ensure that the File Share Admin group has a higher priority than the File Share User group or any other group that standard users may belong to. This will ensure that File Share Admin users have the correct Effective Policy Group and are assigned to the correct policy.
   
   
8. As a File Share Admin user, in Windows File Explorer, right click on the folder you wish to encrypt and choose Symantec Encryption Desktop / Encrypt folder name with Symantec File Share...Advanced. Note it's important to choose the Advanced option.
   
   
9. At the Add Users page, click the Add button. Then search for the name of the File Share Admin group. Add it. Then do the same for the File Share User group:
   
   
   
10. On the Add Users page, the two groups will be listed. Scroll to the right and next to each name you will see their User Type. Initially they will both be of type User:
    
    
    
11. Right click on File Share Admin and choose Make Admin. Note that the only difference between Admin and Group Admin is that you can only have one Admin per share but you can have multiple Group Admins:
    

This will give you an encrypted folder that members of the File Share User group can access. They can create and modify files within the share. What they cannot do is change the access list of groups and users permitted to use the share. Only a member of the File Share Admin group can do this.

By using this strategy, you will not need to encrypt any folders with individual user keys and can instead rely on group membership.

By not granting standard users permission to change the access control list of folders, you ensure that File Share encrypted folders are effectively managed.