How to reinitialize the EDRP on a workgroup computer running Windows 2000

This article describes how to reinitialize the local recovery policy on a Windows 2000-based computer. This process does not reinitialize a domain recovery policy. For Windows 2000-based domain members, the local recovery policy is superseded by the domain recovery policy.

Encrypting File System (EFS) provides built-in data recovery by enforcing a recovery policy requirement. The requirement is that a recovery policy must be in place before you can encrypt files. The recovery policy provides for a person to be designated as the recovery agent. When an administrator logs on to the computer for the first time, a default recovery policy is automatically created, which makes that account the recovery agent.

The local recovery policy contains the EFS Recovery certificate for the Recovery agent. As long as the policy is populated with this certificate, users can encrypt files. It is possible, however, to lose the private key associated with the Recovery certificate (if the user profile is deleted, for example). If this occurs, the Recovery agent is unable to recover any encrypted files.

Computers that are in a workgroup are most susceptible to this. Computers that are members of a domain inherit their recovery policy from that domain.

Reinitializing the Recovery Policy

1. Log on to Windows 2000 by using the Recovery Agent account.
2. Open the Local Security Policy snap-in in Microsoft Management Console (MMC) that is located in the Administrative Tools folder.
3. Open the Public Key Policies folder, and then click the Encrypted Data Recovery Policy (EDRP) folder.
4. Delete the recovery certificate in the policy, and then quit the snap-in.
5. Start MMC, and then add the Certificates snap-in to the current user account.
6. Open the Personal store, and then delete the recovery certificate. This certificate has the same user name in the Issued To and Issued By columns, and contains the value "File Recovery" in the Intended Purposes column.
7. Quit MMC.
8. At a command prompt, type the following lines, pressing ENTER after you type each line:
   regsvr32 -u sclgntfy.dll
   regsvr32 sclgntfy.dll
9. Log off and log on again using the Recovery Agent account. A new certificate and private key is created for that account. New encrypted files are recoverable by this user. Existing files become recoverable when they are opened and then closed by the owner of the file.