Policy Implementation

Encrypted Data Recovery Agent policy is part of Group Policy, administered using the Encrypted Data Recovery Agents container in the Group Policy console. To configure EFS Recovery policy, see "EFS Recovery Agents" in "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.

Like other components of Group Policy, the scope of a recovery policy can be from broadest to narrowest:

  • The site

  • The domain

  • An organizational unit — a subgroup of computers, or even a single computer, within a domain.

  • An organizational unit nested within a larger organizational unit.

  • The local stand-alone computer.

The default scope of Group Policy is the domain. Every Windows 2000–based computer within a scope is governed by the policy set for that scope, although the effect can be filtered by using ACLs. For more information about Group Policy and how it works, see "Group Policy" in this book.


Policy is applied per computer, not per user, because the encrypted data is stored on computers regardless of who encrypted it.

The Windows 2000 security subsystem takes care of enforcing, replicating, caching, and updating the recovery policy. Therefore, users are able to use file encryption on a temporarily offline system, such as a portable computer, much like logging on to their domain account using cached credentials.

Only the public portions of the recovery key pairs are needed for encryption of the FEK in the DRF. These public recovery keys must be present at all times on an EFS system for normal file system operations. They are present in Encrypted Data Recovery Agent policy as recovery agent certificates.

Security of the recovery key is crucial. You should remove the private keys of recovery agent accounts from the recovery computer between sessions and store them safely on floppy disks or other secure storage devices. (For more information about how to safely remove private keys from your computer, see Windows 2000 Professional Help or Windows 2000 Server Help.)