A quick recap from the previous installment of this article, there are several steps that need to be completed when setting up ESF recovery agents. After you have created a group and added the appropriate user accounts, this group must be granted Enroll permission to the EFS Recovery template. The next step is to have each member of the group request a certificate using the steps below.

  1. Have the user log onto your domain
  2. Click Start and click Run. Type mmc and click OK
  3. From the File menu, select Add/Remove Snap-in
  4. Click Add then select Certificates from the list.
  5. Click Add.
  6. The next dialog prompts you to choose which account certificates will be managed. Accept the default setting of My user account and click Finish.
  7. Click Close in the Add Standalone Snap-in dialog
  8. The Add/Remove Snap-in dialog should now contain the Certificates snap-in for the current user.
  9. Click Ok to add the snap-in.
  10. Double-click Certificates in the left pane, right-click Personal, point to All Tasks, Request New Certificate
  11. Click Next on the opening dialog of the Certificate Request Wizard.
  12. Select EFS Recovery Agent from the list of Certificate types.
  13. Assign a name and description to the certificate so that you can identify it. Click Next.
  14. A summary of the information appears. Click Finish to request the certificate.
  15. You will be prompted if the certificate request is successful.


You can also verify that the certificate was generated. Double-click Personal in the left pane of the Certificates snap-in and then click Certificates. Your newly issued certificate should appear in the right pane.

Your final step will be to enable the recovery policy and add the certificates. Once you have logged on as a domain administrator, you can complete the steps below.

  1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers
  2. Right-click your domain and click properties.
  3. Select the Group Policy tab.
  4. Select the Default Domain Policy and click Edit. This opens the Group Policy editor.
  5. Expand Computer Configuration | Windows Settings | Security Settings, and click Public Key Policies.
  6. Right click the Encrypting File System container and select Add Data recovery Agent. By default the local Administrator is automatically designated as a recovery agent. Performing this allows you to designate other users as recovery agents.
  7. Click Next.
  8. Select the Recovery Agents. If certificates are published in Active Directory you can use the Browse Directory button and add user accounts. If certificates are not stored in Active Directory use the Browse Folders button to locate the certificates.
  9. Click Next.
  10. Click Finish after reviewing the summary.

You are now complete. Any users that members of the group you created should be able to recover encrypted files. They should also be listed as recovery agents within the Encrypting Files System container.

[tags]efs,microsoft certification,exam,encrypting file system,encryption[/tags]