Create a recovery policy for a domain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create a recovery policy for a domain

Open Active Directory Users and Computers.
Right-click the domain whose recovery policy you want to change, and then click Properties.
Click the Group Policy tab.
Right-click the recovery policy you want to change, and then click Edit.
In the console tree, click Encrypting File System.

Where?
- Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System
Do one of the following:
- If you need to create a certificate to use as the Encrypting File System (EFS) recovery certificate, right-click Encrypting File System and click Create Data Recovery Agent.
- If you want to use an existing certificate, click Add Data Recovery Agent and follow the instructions that are given by the wizard to complete this procedure.

Important

Before changing the recovery policy in any way, you should first back up the recovery keys to a floppy disk.

Notes

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In a domain, a default recovery policy is implemented for the domain when the first domain controller is set up. The first domain administrator is issued the self-signed certificate, which designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator.
If you choose Create Data Recovery Agent during this procedure, the domain controller will contact a Windows Server 2003 family certification authority (CA) to request a certificate based on the EFS Recovery Agent certificate template. If this template is unavailable or does not allow you to obtain a certificate, Windows displays the following message: "Windows cannot create a data recovery agent."

Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.