EFS Recovery Agents

Steps To Enable an EFS Recovery Agent in a Windows Server 2003 Domain

1. Install a CA (Certificate Authority) in your domain.
2. Open the Certificate Templates snap-in in an MMC, Right-click the "EFS Recovery Agent" certificate and select "Duplicate Template". The Certificate Templates snap-in shows all pre-defined certificates which a CA is capable of publishing.
   
3. Give the new template a suitable name (e.g. company_name EFS Recovery Agent).
4. In the proerties tab of the new template, on the General tab, check the box "Publish Certificate in Active Directory". On the Security Tab, Check Allow for read and enroll permissions for your DRA group or user.
5. If you now open your Certificate Authority MMC and look the Certificates currently being published, you should see your new duplicated EFS Recovery Agent template.
   
6. Log on to a machine as the user who is going to become a DRA (Data Recovery Agent) for the domain.
7. Open an MMC and add the "Certificates" snap-in.
   
8. Right-click Personal - All Tasks - Request New Certificate.
9. Select "Next", highlight the "EFS Recovery Agent" certificate and click Next.
10. Add a friendly name and description for the new certificate (e.g. username DRA Cert). Click Finish.
11. You should see a dialog box indicating the certificate was issued successfully.
    
12. Create / Modify a GPO linked to the domain default policy or to an OU in which Users reside. Go to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System. Right click the "Encrypting File System" node and select "Add data recovery Agent...".
    
13. Click Next and then "Browse Directory". Search for the user to whom who you have enrolled the new EFS Recovery Agent certificate.
14. N.B In testing I have found that sometimes I got an error message when adding the DRA user into the GPO. The error message states "The selected user has no certificates suitable for Encrypted File System Recovery and cannot be added as a recovery agent. Select another user." Since we have published the certificate template in AD this shoud not occur. However this can be overcome by exporting the DRA's certificate (only the public key is required) and using the "Browse Folders" button in the GPO DRA creation, selecting the certificate file rather than browsing for the user in AD. To export the DRA's certificate simply logon as that user, open the "Certificates" snap-in, right-click the relevant certificate and select All Tasks - "Export...". This can be saved to a file share to make life easier (be sure not to include the private key in the export though, as if this is left on your disk after import represents a serious security risk).
    
15. After completing the wizard, test the setup by having a different user encrypt data on another computer using EFS.
16. The new DRA should be able to access that data beause when the files were encryted the DRA's public key would have also been used to encrypt the FEK (File Ecryption Key).