Data Centers

Tech Tip: Add recovery agents for EFS/Back up the registry with the Backup utility

Learn how to add recovery agents via local policy, and see how you can use Windows Backup to quickly back up the registry.

Add recovery agents for EFS

Windows' Encrypting File System (EFS) provides on-the-fly encryption and decryption of files on an NTFS volume, and it can help protect sensitive data on vulnerable systems such as notebooks.

EFS uses the user's encryption certificate to encrypt and decrypt the data. The encryption/decryption process is transparent to the user because EFS uses the user's existing certificate for the encryption.

If the user's certificate is lost or corrupted, designated encrypted data recovery agents can use their certificates to decrypt the data. By default, the local Administrator account works as a recovery agent.

In some cases, however, it can be useful to specify other recovery agents. You can do so for domain members through group policy, and you can use local policy for stand-alone workstations.

To add recovery agents via local policy, follow these steps:

  1. Export the target user's certificate to a .cer file using the Certificates MMC snap-in or Internet Explorer (go to Tools | Internet Options, select the Content tab, and click the Certificates button).
  2. Go to Control Panel, open the Administrative Tools folder, and double-click Local Security Policy.
  3. Expand the Public Key Policies branch, and select Encrypted Data Recovery Policy.
  4. Right-click Encrypted Data Recovery Policy, and choose Add.
  5. Click Browse Folders, select the .cer file, and click Open.
  6. Click Next, and click Finish.

This process is similar for domain members, but you must edit the group policy object at the domain or OU level.

It's a good idea to place all of the recovery agents' .cer files in a safe location in case you need them again. Choose a location that's both physically secure and safe from drive or other hardware failures.

Back up the registry with the Backup utility

Some Windows administrators don't think very highly of the Backup utility included with Windows 2000 Server and prefer to use third-party solutions for their backup needs. However, while Windows Backup doesn't have all the bells and whistles that other backup solutions offer, it does offer one feature that makes it easy to back up the registry.

The Windows registry comprises several files, the majority of which reside in the \%systemroot%\System32\Config folder. Windows 2000 Server also maintains a backup copy of the registry hive files in the folder \%systemroot%\Repair.

Windows doesn't back up the registry here automatically. It places a copy in the repair folder at Setup, but it doesn't update these files on its own.

However, you can use Windows Backup to quickly back up the registry. Follow these steps:

  1. Open the Backup utility by going to Start | Programs | Accessories | System Tools | Backup.
  2. Choose Tools | Create An Emergency Repair Disk.
  3. In the Emergency Repair Diskette dialog box, select the Also Back Up The Registry To The Repair Directory option, and click OK.
  4. After the backup is complete, Backup displays an error that there is no diskette available for the backup. Click OK at this error message.

This backs up the registry files to the Repair folder. If your server experiences a corrupted registry or you need to revert to the previous configuration, boot the server with the Recovery Console, copy the registry files from the Repair folder to the Config folder, and reboot.

Editor's Picks