To add a recovery agent for a domain
Open Active Directory Users and Computers
Right-click the domain whose recovery policy you want to change, and then click Properties.
Click the Group Policy tab.
Right-click the recovery policy you want to change, and then click Edit.
In the console tree, click Encrypted Data Recovery Agents.
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypted Data Recovery Agents
In the details pane, right-click, then click Add, and follow the instructions.
You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
To start Active Directory Users and Computers, open a Remote Desktop Connection to either a Windows 2000 domain controller or a member server that has Windows 2000 Administration Tools installed. You must log on to the server as a domain administrator in order to complete this procedure.
This operation can be performed on any sites, domains or organizational units within an Active Directory forest.
Adding a recovery agent from a file identifies the user as USER_UNKNOWN. This is because the name is not stored in the file.
Before you can add or create a recovery agent, you must configure Group Policy on your computer. For more information about using Group Policy, see Related Topics.