Using Encrypted File System in Production
Windows 2000 expert Bill Boswell continues his discussion of Encrypted File System.
In this article, we'll talk about using EFS in production.
I've listed a typical set of steps that you would take to deploy EFS in your organization. Under normal circumstances, you would not want users saving files at their local desktops, so this discussion focuses on laptops.
When a Windows 2000 computer is joined to a domain, it downloads any Group Policies linked to the domain and to OUs that contain the computer object in Active Directory.
By joining the laptop to a domain, you ensure that a single set of data recovery agents (specified in Encrypted Data Recovery Agent policies linked to the domain and OUs) can recover encrypted files in your domain. Without this policy, each laptop would have its own DRA, the local Admin account. Files encrypted on laptops that use a local DRA should not be considered secure.