Article ID: 887414 - View products that this article applies to.
This article describes how to create a recovery agent key and certificate for selected users in Microsoft Windows XP Professional Encrypting File System (EFS). Recovery agents can use certificates and public keys to decrypt files. An administrator can add the contents of a certificate to the EFS recovery policy to create the recovery agent for users and to import the .PFX file to recover individual files. In Group Policy Object Editor, you can specify the domain or the organizational unit of a recovery agent.
In Microsoft Windows 2000 EFS, the built-in Administrator account is used as the default recovery agent. In Windows XP Professional, the EFS recovery agent's recovery certificate is not set as the default. This configuration change prevents a malicious attempt at decrypting by using the Administrator account. In systems that are upgraded from Windows 2000, the Administrator account that is set as the default recovery agent is migrated and is used as the default EFS recovery agent.
To create an EFS recovery agent key and certificate for selected users, follow these steps.
Step 1: Export recovery certificates and the private key
Step 2: Import recovery certificates and the private key