Re: EFS recovery agent

If one is not specified at the domain level then the local administrator
will automatically be RA when you encrypt a file on Windows 2000 assuming
domain policy allows EFS use. If an RA is specified at the domain level then
you will not be able to specify one in Local Security Policy that will work.
FYI in Windows 2000 using the local administrator as a RA can be a security
risk because if a malicious user can access your computer he can use a
utility to change the built in administrator password and then logon as the
built in administrator to access any EFS files on the computer unless the RA
private key had been exported/deleted.


"vashi" <vashi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
My laptop is part of domain. Can I specify the local administrator be the
data recovery agent for my EFS ?

if yes, how to set it ?

if yes, does that mean while travelling I can login as local admin as
the EFS files encrypted while I was on my office LAN logged in with my


Relevant Pages

  • Re: Demoting a Windows 2003 Domain controller
    ... because when you demote a DC it will become a member server and because of that you need to specify a new password for the local administrator account on the member server ... I logged in as the domain admin and I ran dcpromo. ... Why does it ask me to specify a new administrator's password? ...
  • Re: Remove users from local groups
    ... Where did you apply the policy? ... At the domain level or OU level? ... domainname\Domain Users which are members of Users. ... has been made a local administrator is not being removed ...
  • Re: Demoting a Windows 2003 Domain controller
    ... The password you have to specify to logon locally, when the server is demoted. ... On a DC you can not logon locally, you use domain accounts. ... Specify a new password for the local administrator and keep it safe. ...