RE: EFS Recovery Agent

From: Curtis Koenig [MSFT] (curtisko_at_online.microsoft.com)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 18:00:24 GMT

The help file for Windows XP has a good set of steps for how to specify a
recovery agent:

<<<<<<<<<<<<<>>>>>>>>>>>>>>
To add a recovery agent for a domain
Open Active Directory Users and Computers.
Right-click the domain whose recovery policy you want to change, and then
click Properties.
Click the Group Policy tab.
Right-click the recovery policy you want to change, and then click Edit.
In the console tree, click Encrypted Data Recovery Agents.
Where?

Computer Configuration
Windows Settings
Security Settings
Public Key Policies
Encrypted Data Recovery Agents
In the details pane, right-click, then click Add, and follow the
instructions.
 Notes

You must be logged on as an administrator or a member of the Administrators
group in order to complete this procedure. If your computer is connected to
a network, network policy settings might also prevent you from completing
this procedure.
To start Active Directory Users and Computers, open a Remote Desktop
Connection to either a Windows 2000 domain controller or a member server
that has Windows 2000 Administration Tools installed. You must log on to
the server as a domain administrator in order to complete this procedure.
This operation can be performed on any sites, domains or organizational
units within an Active Directory forest.
Adding a recovery agent from a file identifies the user as USER_UNKNOWN.
This is because the name is not stored in the file.
Before you can add or create a recovery agent, you must configure Group
Policy on your computer. For more information about using Group Policy, see
Related Topics.
<<<<<<<<<<<<<>>>>>>>>>>>>>>

I would also suggest the following KB

223316 Best practices for the Encrypting File System
http://support.microsoft.com/?id=223316 

--
Curtis Koenig
Security Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP
This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.  Thanks!
--------------------
>From: "Lee" <lee@nowehere.com>
>Subject: EFS Recovery Agent
>Date: Wed, 23 Feb 2005 16:49:50 -0000
>
>Hi,
>
>Hopefully someone can advise.
>
>I am trying to setup EFS in my domain,  I would like to change the default 
>EFS recovery agent from Administrator to a user.   We do not currenlty 
have 
>a CA,  however, from what I have read, this is not necessarily required.
>
>Could someone please advise whether a CA is required, and if not, point me 
>in the direction of some help on how to do this.
>
>TIA
>
>Lee 
>
>
>

Relevant Pages

  • Re: How to get full access to all contents?
    ... > "Roger Abell" wrote in message ... >> Administrator is a recovery agent only in Windows 2000. ... >>> The user who was designated as a recovery agent is the Administrator. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to get full access to all contents?
    ... Administrator is a recovery agent only in Windows 2000. ... > An error occurred applying attributes to the file: ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to get full access to all contents?
    ... "Roger Abell" wrote in message ... > Administrator is a recovery agent only in Windows 2000. ...
    (microsoft.public.windowsxp.security_admin)
  • How to add EFS data recovery agents on Windows 2000 workgroup server
    ... to a Windows 2000 standalone server. ... Having troubles creating a valid .cer file in Windows 2000, ... required when running the W2K recovery agent wizard via MMC Local ... I can use in Windows 2000 to create a .cer file? ...
    (microsoft.public.win2000.security)
  • Re: EFS Recovery Agent
    ... to add a recovery agent using the Add Recovery Agent Wizard, ... > Click the Group Policy tab. ... > the server as a domain administrator in order to complete this procedure. ... For more information about using Group Policy, ...
    (microsoft.public.windows.server.security)