cipher /adduser says "access denied" if the files are read-only

Today I needed to allow a new user to access some EFS-encrypted files. Despite my account having an appropriate certificate and full access to the files, cipher /adduser said "access is denied" for each of them and couldn't add the user. Confusingly, performing the operation on new encrypted files worked perfectly fine. Eventually I ran some other mode of cipher, which gave a more helpful message indicating that the files were read-only. Apparently EFS won't allow certificate list changes if the read-only bit is set. Unmarking them read-only made things work as expected.