Encrypting File System
Encrypting File System |
|
Rather than attempt to manage EFS recovery on a domainwide basis, consider assigning dedicated recovery computers to manage recovery for subsets of computers in your domain, or even for single computers. Domain administrators can do this by using the Active Directory Users and Computers console to group computers into organizational units, and then configuring a separate EFS recovery policy for each organizational unit. You might want to appoint several administrators to use one recovery account to recover users' files as necessary for that organizational unit.
Although recovery policy can be set to apply to an organizational unit, it must be set at the domain level. Subdomain administrators can view recovery agent policy, but cannot set or modify the policy.
To use Group Policy for this purpose, install the Group Policy MMC
To use Group Policy to delegate recovery
This opens the Add Recovery Agent wizard. Figure 15.13 shows the opening screen of the wizard.
Figure 15.13 Welcome Screen in Add Recovery Agent Wizard
Figure 15.14 Second Screen in Add Recovery Agent Wizard
You can add recovery agent certificates that are published in Active Directory. The recovery agent user account information associated with the published certificates appears in the Users column.
You can also add a recovery agent certificate from a file. If so, the Users column displays "USER_UNKNOWN." This is because adding the certificate from a file does not provide any security identifier (SID) information about the owner of the private key.
Note
The Add Recovery Agent wizard accepts a recovery agent certificate file only if it has a .cer extension. You can import certificates to the local computer using the Certificate Request wizard, as described in Certificates Help.
