[unisog] Windows Encrypted File System (EFS)

Gaddis, Jeremy L. jeremy at linuxwiz.net
Fri Feb 10 22:43:24 GMT 2006

Reg Quinton wrote:
> In theory yes, in practice no. The default configuration has the 
> Administrator account as a key recovery agent. See the "User Beware" section 
> in our discussion of EFS here:

That's not true for Windows XP and/or Windows Server 2003 -- in this 
case, there is no default recovery agent.  Users can encrypt files with 
just their own EFS certificates and no recovery certificates are needed 
or generated.  This eliminates the need to export and delete the 
Administrator's EFS private key on stand-alone computers, but it also 
prevents recoverability by default.

If the machine is a member of an Active Directory domain, then GPOs can 
be used to add data recovery agents.


Jeremy L. Gaddis, GCWN, Linux+, Network+

More information about the unisog mailing list