Configuring Recovery Agent Policy

For more flexible EFS recovery management, consider issuing EFS recovery certificates to designated recovery agent accounts, besides the default Administrator account. Also, legal or corporate policy might require that the recovery agent account be different from the domain Administrator account. You can also configure EFS recovery policy for portable computers to use the same recovery agent certificates, whether the computers are connected to domains or are operated as stand-alone computers.

For more information about how to configure local recovery agent policy on a stand-alone computer or at the local computer level in a domain, see Windows 2000 Professional Help or Windows 2000 Server Help. For more information about how to configure recovery agent policy at the domain controller level, see Windows 2000 Server Help.

You can request recovery agent certificates from either an enterprise CA or a stand-alone CA. You must be logged on as a member of the Domain Admin security group to request the EFS recovery agent certificate from enterprise CAs. You can use the Certificate Request wizard or the Web Enrollment Support pages to request certificates from an enterprise CA. You can use the Web Enrollment Support pages to request certificates from a stand-alone CA. (Certificate requests to stand-alone CAs are held as "pending" until approved by the CA administrator.) For more information about requesting certificates, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.

When the recovery agent certificate is installed in the personal certificate store of the requesting account, you can export the certificate and its private key (as described earlier in this chapter), and then import them for the designated recovery agent accounts. You also then add the certificates to the appropriate EFS recovery policies.