A. Recovery agents are users who can recovery encrypted files for a domain. To add new users as recovery agents they must first have recovery certificates issued by the enterprise CA structure (a local certificate granted by the Administrator is no use).
- Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
- Right click on the domain and select Properties
- Select 'Group Policy' tab
- Select the 'Default Domain Policy' and click Edit
- Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
- Right click 'Encrypted Data Recovery Agents' and select Add
- Click Next to the 'Add Recovery Agent Wizard'
- Click 'Browse Directory'. Locate the user and click OK
- Click Next to the agent dialog select
- Click Finish to the confirmation
- Close the Group Policy Editor
Refresh the machine policy
C:\> <b>secedit /refreshpolicy machine_policy</b>
The agent will only be able to recover files encrypted after the user was made an agent. If an encrypted files is unencrypted and the encrypted or even just opened the new agent WILL be able to recover it as the file will "refresh" its recovery certificates (if the recovery policy has changed).
The local admin on a standalone PC or the first logon admin on a DC is the recovery agent by default. However this can be modified. You can remove the default recovery agent and assign any one as the recovery agent. In other words, admin can not read other person's encrypted file unless he is the recovery agent. The purpose of assigning the first logon admin as the recovery agent is to make life easier for most of our customer. The corporate user is recommended to modify the recovery agent.