JSI Tip 4884. How do I configure a domain EFS recovery policy?

Jerold Schulman

February 24, 2002

3 Min Read
ITPro Today logo

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q313365 contains:



  • Configure a Domain EFS Recovery Policy

The information in this article applies to:

  • Microsoft Windows 2000, Server


This step-by-step article describes how to configure a domain Encrypting File System (EFS) recovery policy.

You can use the Windows 2000 EFS to encrypt files to prevent unauthorized individuals from viewing the contents of the files. To encrypt and decrypt files, a user must have a file encryption certificate. If the file encryption certificate is lost or damaged, access to the files is lost.

Data recovery is possible through the use of a recovery agent. A user account of a trusted individual can be designated as a Recovery Agent so that a business can retrieve files in the event of a lost or damaged file encryption certificate or to recover data from an employee that has left the company.

One of the many advantages of using Windows 2000 domains is that you can configure a domain EFS recovery policy. In a default Windows 2000 installation, when the first domain controller (DC) is set up, the domain administrator is the specified recovery agent for the domain. The domain administrator can log on to the first DC in the domain, and then change the recovery policy for the domain.

If you want to create additional recovery agents, the user accounts must have a file recovery certificate. If available, a certificate can be requested from an enterprise CA that can provide certificates for your domain. However, EFS does not require a CA to issue certificates, and EFS can generate its own certificates to user and to default recovery agent accounts.

back to the top

Configure a Domain EFS Recovery Policy

To configure a domain EFS recovery policy:

  1. Log on as administrator at the first DC in the domain. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the Active Directory Users and Computers console, right-click your domain name, and then click Properties.

  3. In the domain Properties dialog box, click the Group Policy tab. Click the highest priority domain Group Policy object (GPO), and then click Edit.

  4. Expand the top-level domain policy node, and then expand Computer Configuration. Expand the Windows Settings node, and then expand the Security Settings node. Expand the Public Key Policies node, and then click the Encrypted Data Recovery node.

  5. Right-click the Encrypted Data Recovery node, and then click Add.

  6. On the first page of the Add Recovery Agent Wizard, click Next.

  7. On the Select Recovery Agents page, click either Browse Directory or Browse Folders to add a user as a recovery agent. Click the user account or certificate, and then click Next.

  8. On the Completing the Add Recovery Agent Wizard page, click Finish.

  9. The user account appears in the right pane of the Group Policy console. Double-click the certificate in the console to see that the certificate is intended for file recovery. Close the certificate window.

  10. Close the Group Policy console. Close the domain Properties dialog box, and then close the Active Directory Users and Computers console.

Note that you can create a new certificate in the Group Policy console by right-clicking the Encrypted Data Recovery node, and then clicking Create. This adds an EFS recovery certificate for the logged-on user.

back to the top

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like