Recovery agents are an important part of EFS. A recovery agent is given the ability to forcibly recover files that have been encrypted by another user. Knowing this, you will want to be selective as to which users on the network are assigned this role as they will have the right to decrypt any file.

Designating a recovery agent is a lengthy detailed process. However, in order to implement an EFS infrastructure, you need to know the steps that have to be completed. Assuming that your network has a certificate authority, you can start by creating a new group that will contain the user accounts to be designated a recovery agents.

To create a new group:

  1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers
  2. Double click your domain in the left pane, right click the organization unit that you want to create the group in, point to New, and click Group.
  3. Type a name for the group.
  4. Click OK.
  5. Right click the group you just created and click Properties.
  6. Click the Members tab
  7. Click the Add button to open the Select Users, Contacts, or Computers dialog
  8. Enter the user name you wish to add in the “Enter the object names to select” box and click Check Names. Click Ok to add the user.
  9. Repeat the previous step for each additional user you want to add to the group.
  10. Click Ok.

Once you have a group created, you can move onto the next step which is assigning the Enroll permission to the group on the EFS Recovery Template. This is done using the Active Directory Sites and Services console.

  1. Click Start, point to Administrative Tools, and click Active Directory Sites and Services
  2. From the View menu, select Show Services Node. The Services container will appear under Sites.
  3. In the left pane, expand Services | Public Key Services | Certificate Templates.
  4. In the details pane, right-click EFS Recovery and click properties
  5. Click the Security tab
  6. Click Add to open the Select Users, Computers, or Groups dialog box.
  7. Type in the name of the group created in the previous set of steps and click Check Names.
  8. Click OK.
  9. If necessary, remove any other groups and click OK.
  10. Close the Active Directory Sites and Services console.

Unfortunately, you are not yet finished. The next step is to have each member of the group log onto the domain and request a certificate. This will be covered in the next installment of the article.

[tags]efs,microsoft certification,exam,encrypting file system,encryption[/tags]