EFS Best Practices
Windows 2000 expert Bill Boswell provides an invaluable list of best practices for deploying and managing encrypted files with the Encrypting File System.
The company that I work for, trainAbility, has developed a set of recommended best practices for deploying and managing encrypted files. They're discussed in this article.
Disable EFS Until You Are Ready to Deploy It
When you've opened the Pandora's box of file encryption in your domain, it's nearly impossible to put a stop to it. Until you have a solid plan and set of policies in place for handling encrypted files, you should disable file encryption throughout the domain.
When disabling EFS, be sure that you export the Administrator certificate from the Encrypted Data Recovery Agent policy before removing it. If you neglect to do this, you must install a Certificate Authority to issue a new key pair, and all files encrypted before that time will not have a DRA.
Also, when removing the Administrator certificate, be careful not to delete the entire policy. This permits users to encrypt files on their local machines using the local Admin account as DRA.