Recovery Agent Certificates

Certificates with an object identifier of 1.3.6.1.4.1.311.10.3.4.1 in the Enhanced Key Usage field of the certificates are valid for EFS recovery agent operations. EFS automatically generates its own certificates for the default recovery agent accounts: the domain Administrator account for the first domain controller installed in the domain and the local Administrator account for stand-alone computers. The default recovery agent certificates are placed in the personal certificate store for the Administrator account. To recover data, a valid recovery agent certificate and private key must be installed on the computer where the recovery takes place. EFS recovery policy is valid only if all recovery certificates are valid.

If you want to designate alternate recovery agent accounts (other than the default recovery accounts), the alternate recovery accounts must have valid EFS recovery agent certificates. You can deploy Certificate Services to issue and manage EFS recovery agent certificates.

Windows 2000 includes the EFS Recovery Agent certificate template for use by enterprise CAs. EFS recovery agent certificates can be used for recovery agent operations only. By default, members of the Domain Admins and Enterprise Admins security groups have Enroll permission for EFS recovery agent certificates. However, if you want to change the accounts that are authorized to receive EFS recovery agent certificates, you can change the default ACLs for the certificate template. For more information about how to modify ACLs for certificate templates, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.

Stand-alone CAs do not use certificate templates, but can also issue EFS certificates. You must use the Advanced Certificate page Web form to request certificates from a stand-alone CA. For more information about how to request EFS certificates from a stand-alone CA, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.