EFS also incorporates a secure "back door" permitting authorized individuals, called data recovery agents, to recover files if the encrypting user dies or leaves the company, or just gets stubborn and refuses to open the file. The default DRA in a domain is the domain Administrator account.
Encryption information in the form of a file recovery certificate for the DRA is stored in a data recovery Group Policy linked to the Domain container. Member computers download this policy when they log onto the domain. If the data recovery Group Policy does not contain a recovery agent certificate, then EFS is disabled throughout the domain.
For a standalone server, the DRA is the local Administrator account. For a standalone Windows 2000 professional desktop, the DRA is the local Admin account. The file recovery certificate for the local DRA is stored in the local security policy database. If no certificate is present, encryption is disabled on a standalone computer. Domain member computers always use the domain DRA certificate, even if the user logged on using local security credentials.