Types of Recovery Policies

Administrators can define one of three kinds of policies: no recovery policy, empty recovery policy, or recovery-agent policy with one or more recovery agents.

No recovery policy When an administrator deletes the recovery policy on the first domain controller, a no recovery policy at the domain level is in effect. Because there is no domain recovery policy, the default local policy on individual computers is used for data recovery. This means that local administrators control the recovery of data on their computers.

Empty recovery policy When an administrator deletes all recovery agents and their public-key certificates, an empty recovery policy is in effect. An empty recovery policy means that no one is a recovery agent, and that users cannot encrypt data on computers within the scope of influence of the recovery policy. The effect of an empty recovery policy is to turn off EFS altogether.

Recovery-agent policy When an administrator adds one or more recovery agents, a recovery-agent policy is in effect. These agents are responsible for recovering any encrypted data within their scope of administration. This is the most common type of recovery policy.

There are a variety of recovery options available. Table 8.8 summarizes them.

TABLE 8.8 Effect of Recovery Policies

Recovery Policy


Recovery Agent


Empty recovery

EFS cannot

There is no

You will have to


be used.

recovery agent.

delete every

recovery agent.

No recovery

EFS is available

The default

You can delete

policy at the

on a local

recovery agent

the recovery

domain level


is set to the

policy on first

administrator of


local computer.


Recovery policy

EFS is available

The default

This is the

is configured


recovery agent

default configu-

with desig-

is set to the

ration in a

nated recovery






Because the Windows 2000 security subsystem handles enforcing, replicating, and caching of the recovery policy, users can implement file encryption on a system that is temporarily offline, such as a portable computer (this process is similar to logging on to their domain account using cached credentials).

Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook

Post a comment