Add a recovery agent for a domain

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To add a recovery agent for a domain

  1. Open Active Directory Users and Computers.

  2. Right-click the domain whose recovery policy you want to change, and then click Properties.

  3. Click the Group Policy tab.

  4. Right-click the recovery policy you want to change, and then click Edit.

  5. In the console tree, click Encrypting File System.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System

  6. In the details pane, right-click, then click Add Data Recovery Agent.

  7. Follow the instructions of the wizard to complete this procedure.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • This operation can be performed on any sites, domains or organizational units within an Active Directory forest.

  • Adding a recovery agent from a file identifies the user as USER_UNKNOWN. This is because the name is not stored in the file.

  • Adding a recovery agent from Active Directory requires that File Recovery certificates are published in Active Directory. However, the default EFS File Recovery certificate template does not publish these certificates. This can be changed by copying the default EFS File Recovery certificate template to create a new template and configuring it to Publish certificate in Active Directory. For more information on modifying certificate templates, see Related Topics.

  • Before you can add or create a recovery agent, you must configure Group Policy on your computer. For more information about using Group Policy, see Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Create a new certificate template
Encrypting File System overview
Recovering data