Configuring recovery policies
Configuring recovery policies
Recovery policies are configured automatically for domain controllers and workstations. By default, domain administrators are the designated recovery agents for domains, and the local administrator is the designated recovery agent for a standalone workstation.
Group Policy Management Console (GPMC) is a feature you can add to any installation of Windows Server 2008 or later by using the Add Roles And Features Wizard. The GPMC is also available on Windows desktops when you install the Remote Server Administration Tools (RSAT). After you add the GPMC to a computer, it is available on the Tools menu in Server Manager. Through the Group Policy console, you can view, assign, and delete recovery agents by following these steps:
1. With the GPMC, you can edit a Group Policy Object (GPO) by pressing and holding or right-clicking the GPO, and then selecting Edit on the shortcut menu. The GPMC then opens the Group Policy Management Editor, which you use to manage policy settings.
2. Open the Encrypted Data Recovery Agents node in Group Policy. To do this, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then select Encrypting File System.
3. The pane at the right lists the recovery certificates currently assigned. Recovery certificates are listed according to who issued them, who they are issued to, expiration date, purpose, and more.
4. To designate an additional recovery agent, press and hold or right-click Encrypting File System, and then tap or click Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a user and mark it as a designated recovery certificate. Tap or click Next.
5. On the Select Recovery Agents page, you can select certificates published in Active Directory or use certificate files. If you want to use a published certificate, tap or click Browse Directory and then-in the Find Users, Contacts, And Groups dialog box-select the user with which you want to work. You’ll then be able to use the published certificate of that user. If you want to use a certificate file, tap or click Browse Folders. In the Open dialog box, use the options provided to select and open the certificate file you want to use.
SECURITY ALERT Before you designate additional recovery agents, you should consider setting up a root certificate authority (CA) in the domain. Then you can use the Certificates snap-in to generate a personal certificate that uses the EFS Recovery Agent template. The root CA must then approve the certificate request so that the certificate can be used.
6. To delete a recovery agent, select the recovery agent’s certificate in the right pane, and then press Delete. When prompted to confirm the action, tap or click Yes to permanently and irrevocably delete the certificate. If the recovery policy is empty (meaning that it has no other designated recovery agents), EFS will be turned off so that files can no longer be encrypted; existing EFSencrypted resources won’t have a recovery agent.