This tip is from TechRepublic's weekly Windows 2000 Professional newsletter. Sign up instantly to begin receiving this free newsletter in your inbox.
The Encrypting File System (EFS) enables users to securely encrypt files—a nearly effortless process because Windows 2000 automatically creates the keys needed to encrypt and decrypt the data. But if the user somehow deletes his or her EFS private key, the encrypted data could be inaccessible. However, Windows 2000 also creates a recovery agent key that can decrypt the data.
Windows 2000 encrypts files with the recovery agent's public EFS key, as well as the user's EFS key. This means you can use the recovery agent's key to decrypt the files if the user's key is lost.
By default, the local administrator account is the default recovery agent for computers in a workgroup. The domain administrator is the default recovery agent for computers in a domain.
To protect against inaccessible data if there's a problem with the user keys, you should back up the recovery agent key on any systems that use EFS. To export the key on a workgroup computer, follow these steps:
In the wizard, if you choose the option to remove the private key from the computer after the export is complete, you must restart the workstation or domain controller for the removal to be complete.
If you need to back up the recovery agent key for a domain, run Dompol.msc on the first domain controller in the domain. Use the same procedure as above to export the key to a file.