Windows 2000 computers need to have a Recovery Agent and you apparently have
Group Policy applying to those computers with an empty Recovery Agent list.
The policy setting is discussed in the first KB link below. You would need
to import a .cer file for a Recover Agent into that list. The Recovery
Agent is usually the built in administrator account for the domain and the
RA certificate/private key would by default be on the first domain
controller installed in the domain which often is the pdc fsmo. You can use
the mmc snapin for certificates for user to view and import or export
certificates for the user. If you do find the RA make sure that the
certificate shows that "you have the private key" for this certificate and I
would export the certificate/private key to a password protected file .pfx
file for safe keeping in a couple of places to external media. If the
computer that contains the RA certificate/private key is not physically
secured consider deleting the private key after export option as that RA
certificate/private key can then decrypt any EFS files in the domain on
domain computers that it is RA for. If you can not find the RA you can use a
Certificate Server to request a new RA certificate/private key if you are
using one or use the cipher command on an XP Pro computer to create an RA
certificate/private key. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=tech
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices.
