What I meant on number 4 is that it can't encrypt local files on other machines. Only network shares. That's why you shouldn't use your server as a client machine.
Only way Crypto could've made a GP is if it had domain admin permissions. I assume in that case someone was using the server as a client? Or used a domain admin account?
.png "ACUF Donor I")
