Microsoft small business knowledge base

Article ID: 257705 - Last Review: October 20, 2013 - Revision: 3.2

This article was previously published under Q257705
This article has been archived. It is offered "as is" and will no longer be updated.

On This Page


This article describes how to reinitialize the local recovery policy on a Windows 2000-based computer. This process does not reinitialize a domain recovery policy. For Windows 2000-based domain members, the local recovery policy is superseded by the domain recovery policy.

Encrypting File System (EFS) provides built-in data recovery by enforcing a recovery policy requirement. The requirement is that a recovery policy must be in place before you can encrypt files. The recovery policy provides for a person to be designated as the recovery agent. When an administrator logs on to the computer for the first time, a default recovery policy is automatically created, which makes that account the recovery agent.

The local recovery policy contains the EFS Recovery certificate for the Recovery agent. As long as the policy is populated with this certificate, users can encrypt files. It is possible, however, to lose the private key associated with the Recovery certificate (if the user profile is deleted, for example). If this occurs, the Recovery agent is unable to recover any encrypted files.

Computers that are in a workgroup are most susceptible to this. Computers that are members of a domain inherit their recovery policy from that domain.

Reinitializing the Recovery Policy

  1. Log on to Windows 2000 by using the Recovery Agent account.
  2. Open the Local Security Policy snap-in in Microsoft Management Console (MMC) that is located in the Administrative Tools folder.
  3. Open the Public Key Policies folder, and then click the Encrypted Data Recovery Policy (EDRP) folder.
  4. Delete the recovery certificate in the policy, and then quit the snap-in.
  5. Start MMC, and then add the Certificates snap-in to the current user account.
  6. Open the Personal store, and then delete the recovery certificate. This certificate has the same user name in the Issued To and Issued By columns, and contains the value "File Recovery" in the Intended Purposes column.
  7. Quit MMC.
  8. At a command prompt, type the following lines, pressing ENTER after you type each line:
    regsvr32 -u sclgntfy.dll
    regsvr32 sclgntfy.dll
  9. Log off and log on again using the Recovery Agent account. A new certificate and private key is created for that account. New encrypted files are recoverable by this user. Existing files become recoverable when they are opened and then closed by the owner of the file.

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
kbnosurvey kbarchive kbefs kbhowto kbhowtomaster kbnetwork KB257705
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support