Change the recovery policy for the local computer

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To change the recovery policy for the local computer

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Under Add Standalone Snap-in, click Group Policy Object Editor, and then click Add.

  4. Under Group Policy Object, make sure that Local Computer is displayed, click Finish.

  5. Click Close, and then click OK.

  6. In Local Computer Policy, click Public Key Policies.

    Where?

    • Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Public Key Policies
  7. Right-click Encrypting File System, and then do one of the following:

    • To designate a user as an additional recovery agent using the Add Recovery Agent Wizard, click Add Data Recovery Agent.

    • To allow EFS to work without recovery agents, point to All Tasks and then click Do Not Require Data Recovery Agents.

    • To delete this EFS policy and every recovery agent, point to All Tasks and then click Delete Policy. If you select this option, users can still encrypt files on this computer. Note that this option will not appear unless there is an EFS policy on the computer.

Important

  • Before changing the recovery policy in any way, you should first back up the recovery keys to a floppy disk.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • There is no default recovery agent on a standalone computer. A file recovery certificate can be created by running cipher.exe /r, and the Add Data Recovery Agent option can be used to import this certificate into the EFS policy. Fore more information on cipher.exe, see Related Topics.

  • You can make changes to the File Recovery certificate by right-clicking the certificate and then clicking Properties. For example, you can give the certificate a friendly name and enter a text description.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Cipher
Recovering data
Back up default recovery keys to a floppy disk
Add a snap-in to a new MMC console for a local computer