Assigning Recovery Agent Accounts

Rather than attempt to manage EFS recovery on a domainwide basis, consider assigning dedicated recovery computers to manage recovery for subsets of computers in your domain, or even for single computers. Domain administrators can do this by using the Active Directory Users and Computers console to group computers into organizational units, and then configuring a separate EFS recovery policy for each organizational unit. You might want to appoint several administrators to use one recovery account to recover users' files as necessary for that organizational unit.

Although recovery policy can be set to apply to an organizational unit, it must be set at the domain level. Subdomain administrators can view recovery agent policy, but cannot set or modify the policy.

To use Group Policy for this purpose, install the Group Policy MMC snap-in and open the Group Policy object you want to work with (domain, organizational unit, or local computer), and then follow the procedure described here.

To use Group Policy to delegate recovery

  1. Expand the Group Policy node by clicking Computer Configuration and then Windows Settings , Security Settings , and Public Key Policies .

  2. Right-click Encrypted Data Recovery Agents , and then click Add .
    This opens the Add Recovery Agent wizard. Figure 15.13 shows the opening screen of the wizard.


    Figure 15.13 Welcome Screen in Add Recovery Agent Wizard

  3. Click Next .

  4. Use the second screen to add recovery agent certificates. If the recovery certificates are published in Active Directory, use the Browse Directory option. Otherwise, you can use the Browse Folders option.

  5. Repeat this step to add as many recovery agent certificates as required. Figure 15.14 shows a typical display of the second screen after certificates are selected.


    Figure 15.14 Second Screen in Add Recovery Agent Wizard

    You can add recovery agent certificates that are published in Active Directory. The recovery agent user account information associated with the published certificates appears in the Users column.

    You can also add a recovery agent certificate from a file. If so, the Users column displays "USER_UNKNOWN." This is because adding the certificate from a file does not provide any security identifier (SID) information about the owner of the private key.


    The Add Recovery Agent wizard accepts a recovery agent certificate file only if it has a .cer extension. You can import certificates to the local computer using the Certificate Request wizard, as described in Certificates Help.

  6. When you have added all of the recovery agent certificates, click Next , and then click Finish .