EFS stores the recovery agent information for EFS recovery policy in Active Directory as part of Group Policy. All computers within the scope of a Group Policy are required to enforce that policy. For stand-alone computers, EFS recovery policy information is stored in Local Group Policy. This means that, in a domain, only domain administrators can control the recovery keys and in stand-alone mode, local administrators can.
The EFS service initializes during system startup as part of the Local Security Authority Subsystem (LSASS). LSASS is responsible for getting the EFS policy information in memory, either from the domain or locally.
For stand-alone computers, EFS recovery policy information is stored in local policy. The key is created by the EFS service, and the security on the key allows only System Full Control. This partially ensures that no one other than local administrators can gain access to this information directly. To guard against accidental corruption of data, the administrators are not given direct access. This is also the place where EFS recovery policy information from the domain is cached to handle situations caused by network problems.Note
When creating EFS recovery policy, as with any Group Policy object, it is a good idea to make a note of the date and action. Group Policy is not automatically backed up.