To add a recovery agent for a domain


Open Active Directory Users and Computers


Right-click the domain whose recovery policy you want to change, and then click Properties.


Click the Group Policy tab.


Right-click the recovery policy you want to change, and then click Edit.


In the console tree, click Encrypted Data Recovery Agents.


Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypted Data Recovery Agents


In the details pane, right-click, then click Add, and follow the instructions.


You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure. 

To start Active Directory Users and Computers, open a Remote Desktop Connection to either a Windows 2000 domain controller or a member server that has Windows 2000 Administration Tools installed. You must log on to the server as a domain administrator in order to complete this procedure.

This operation can be performed on any sites, domains or organizational units within an Active Directory forest.

Adding a recovery agent from a file identifies the user as USER_UNKNOWN. This is because the name is not stored in the file.

Before you can add or create a recovery agent, you must configure Group Policy on your computer. For more information about using Group Policy, see Related Topics.

Related Topics

Recovering data

Encrypting File System overview

Decrypt a file or folder

Encrypt a file or folder


© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies