EFS recovery agent

[Guest]

My laptop is part of domain. Can I specify the local administrator be the
data recovery agent for my EFS ?

if yes, how to set it ?

if yes, does that mean while travelling I can login as local admin as access
the EFS files encrypted while I was on my office LAN logged in with my domain
ID

 

[Steven L Umbach]

If one is not specified at the domain level then the local administrator
will automatically be RA when you encrypt a file on Windows 2000 assuming
domain policy allows EFS use. If an RA is specified at the domain level then
you will not be able to specify one in Local Security Policy that will work.
FYI in Windows 2000 using the local administrator as a RA can be a security
risk because if a malicious user can access your computer he can use a
utility to change the built in administrator password and then logon as the
built in administrator to access any EFS files on the computer unless the RA
private key had been exported/deleted.

Steve