Microsoft Knowledge Base Article 313277 contains the following summary:
You can use Windows 2000 Encrypting File System (EFS) to encrypt data so that only your user account and the
recovery agent account can access the data. This feature prevents data from being accessed by other users.
Data encryption is especially valuable on laptop computers, which are more liable to theft.
If you are a local administrator, a default recovery policy is created after you log on to a computer for the first time. You are automatically configured as a recovery agent for this computer. After you set up the first domain controller in a Windows 2000 domain, the domain administrator is the specified recovery agent for the domain. You can configure additional recovery agents at either the domain or the organizational unit levels. The administrator of the local computer is the default recovery agent; however, in a domain environment, the domain administrator is the default recovery agent.
The following list describes three methods to recover data if a user leaves a company or if the user's file encryption certificate is either lost or corrupted:
|•||You can send the encrypted file to the recovery agent for recovery. For this method, you back up the encrypted file, and then send the backup file to the recovery agent. After the recovery agent restores the file and removes the encryption attribute, they return the file to you.|
|•||The recovery agent can come to the computer that contains the data that you want to recover.|
|•||You can restore the user's file encryption certificate to the local computer. For this method, you back up the Recovery Agent Certificate, and then install it on the computer that requires encrypted file recovery.|
This article describes how to use the Ntbackup tool to recover files.