Hello,
Yo ucan follow the next steps:
1.Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
2.Right click on the domain and select Properties
3.Select 'Group Policy' tab
4.Select the 'Default Domain Policy' and click Edit
5.Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
6.Right click 'Encrypted Data Recovery Agents' and select Add
7.Click Next to the 'Add Recovery Agent Wizard'
8.Click 'Browse Directory'. Locate the user and click OK
9.Click Next to the agent dialog select
10.Click Finish to the confirmation
11.Close the Group Policy Editor
Then refresh the machine policy:
C:> <b>secedit /refreshpolicy machine_policy</b>
The agent will only be able to recover files encrypted after the user was made an agent. If an encrypted files is unencrypted and the encrypted or even just opened the new agent WILL be able to recover it as the file will "refresh" its recovery certificates (if the recovery policy has changed).
The local admin on a standalone PC or the first logon admin on a DC is the recovery agent by default. However this can be modified. You can remove the default recovery agent and assign any one as the recovery agent. In other words, admin can not read other person's encrypted file unless he is the recovery agent. The purpose of assigning the first logon admin as the recovery agent is to make life easier for most of our customer. The corporate user is recommended to modify the recovery agent.
--If the reply is helpful, please Upvote and Accept as answer--