You can use Windows 2000 Encrypting File System (EFS) to encrypt data so that only your user account and the recovery agent account can access the data. This feature prevents data from being accessed by other users. Data encryption is especially valuable on laptop computers, which are more liable to theft.
If you are a local administrator, a default recovery policy is created after you log on to a computer for the first time. You are automatically configured as a recovery agent for this computer. After you set up the first domain controller in a Windows 2000 domain, the domain administrator is the specified recovery agent for the domain. You can configure additional recovery agents at either the domain or the organizational unit levels. The administrator of the local computer is the default recovery agent; however, in a domain environment, the domain administrator is the default recovery agent.
The following list describes three methods to recover data if a user leaves a company or if the user's file encryption certificate is either lost or corrupted:
- You can send the encrypted file to the recovery agent for recovery. For this method, you back up the encrypted file, and then send the backup file to the recovery agent. After the recovery agent restores the file and removes the encryption attribute, they return the file to you.
- The recovery agent can come to the computer that contains the data that you want to recover.
- You can restore the user's file encryption certificate to the local computer. For this method, you back up the Recovery Agent Certificate, and then install it on the computer that requires encrypted file recovery.
This article describes how to use the Ntbackup tool to recover files.
How to Back Up Encrypted Files
- On the computer that has the encrypted file, click Start, and then click Run.
- Type ntbackup in the Open box.
- Click the Backup tab, and then click to select check box next to the file or folder that you want to recover.
- Type the path and the file name for the backup file in the Backup media or file name box.
For example, type c:\recover to store the backup file in the root of drive C.
- Click Start Backup, and then click Close after the backup process is completed.
- Send the file to a recovery agent.
How to Restore Encrypted Files
If you are the recovery agent, follow these steps on your computer after you receive the backup of the encrypted file to restore the file:
- Click the Start, click Run, and then type ntbackup in the Open box.
- Click the Restore tab, and then click Catalog a backup file on the Tools menu.
- Type the path and the file name of the backup file that was sent to you in the Catalog backup file box, and then click OK.
- Click to expand Media created date in the left pane (where date is the date on which you are doing this procedure), and then click to select the check box next to either the file or the folder name that you want to recover.
- Type a path to a location to which you want to store the files in the Restore files box.
- Click Start Restore, and then click Close after the restore process is completed.
- Start Microsoft Windows Explorer, right-click either the files or the folders that you just restored, and then click Properties.
- Click the General tab, and then click Advanced.
- Click to clear the Encrypt contents to secure data check box, and then click OK.
- Click the option that is appropriate to your scenario, click OK, and then click OK.
- Use the Ntbackup tool to back up the unencrypted files and folders, and then send the backup file back to the user.
- Instruct the user to restore the backup file to the original location to overwrite the original files.NOTE: The default restore procedure does not overwrite files. To configure the restore procedure to overwrite the original file, click Options on the Tools menu, click the Restore tab, and then click Always replace the file on my computer.
Article ID: 313277 - Last Review: October 31, 2006 - Revision: 2.2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
|kbenv kbhowto kbhowtomaster KB313277|