Information Technology Reference
In-Depth Information
FIGURE 2-33
The Group Policy Management Editor
3.
Right-click and select Add Data Recovery Agent. Click Next and then click Browse
Folders. Select the certificate for the account that will be the data recovery agent.
The account used for data recovery should not be an account that is online and available
under normal circumstances. You should export the private key for the account to a .pfx file,
deleting the key during the export. Then move the key to removable media and store in a
secure location.
NOTE
CREATING A SELF-SIGNED FILE RECOVERY CERTIFICATE
If your domain does not include a Ca, you can create a self-signed certificate for use as an
eFS recovery agent. to create a self-signed certificate, use the cipher.exe command. From
a command prompt, logged on as the account that will be the designated recovery agent,
use this:
Cipher /r:<filename>
this command creates two files: a .cer file and a .pfx file. the .cer file is added to the GpO
as a recovery agent, and the .pfx file should be copied to removable media and safely
stored in a secure location and then deleted from the original location.
