Wednesday, March 4, 2009

Change Recovery Policy

To change the recovery policy for the local computer

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. Under Add Standalone Snap-in, click Group Policy, and then click Add.
  4. Under Group Policy Object, make sure that Local Computer is displayed, click Finish
  5. Click Close, and then click OK.
  6. In Local Computer Policy, click Public Key Policies.


    • Local Computer Policy

o  Computer Configuration

o        Windows Settings

o        Security Settings

o        Public Key Policies

  1. In the console tree, right-click Encrypted Data Recovery Agents, and then do one of the following:
    • To designate a user as an additional recovery agent using the Add Recovery Agent wizard, click Add.
    • To request a new file recovery certificate using the Certificate Request wizard, click Create. To complete this procedure, you must have the appropriate permissions to request the certificate and the certification authority (CA) must be configured to issue this type of certificate.
    • To delete this EFS policy and every recovery agent, click Delete Policy. If you select this option, users cannot encrypt files on this computer.


  • Before changing the recovery policy in any way, you should first back up the recovery keys to a floppy disk.


  • You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.
  • Usually, the computer issues a default self-signed certificate that designates the initial Administrator account as the default recovery agent. However, if the user who first logs on after installation creates a second account by using the Create New User Wizard, then the second account becomes the default recovery agent.
  • If the default recovery agent's certificate is deleted without another recovery agent specified in the policy, the computer has an empty recovery policy. An empty recovery policy means that a recovery agent does not exist. This turns EFS off, so users cannot encrypt files on this computer.
  • In a domain, a default recovery policy is implemented for the domain when the first domain controller is set up. The domain administrator is issued the self-signed certificate, which designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator.
  • To make changes to the File Recovery certificate, right-click the certificate and then clicking Properties. For example, you can use this to give the certificate a friendly name and enter a text description.