EFS Recovery Agent on NT4 domain

[Valid Email]

I can't find the answer to this question in any of the documentation.

Assuming I create my own EFS certs (read: homebrew certificates, no
enterprise CA present). Who is the Recovery Agent(s) on an Windows
2000 machine that is a member of an NT4 domain?

I assume nobody since NT4 didn't support EFS, so therefore the only
key to decrypt the files are crucial, losing it and I'm toast. Is it
possible to create and set a Recovery Agent on the same machine? Can
I simply login as local Administrator and create an EFS certificate
for him (before enabling EFS on a folder)?

Yes I understand I will need to manage all of the certificates myself.

Thanks.

 

[Valid Email]

I have not found an answer to this problem - can encrypt a folder on
my Windows 2000 machine that is a member of a NT4 domain? Who is the
recovery agent set to?

Thanks.

 

[Steven L Umbach]

You can encrypt folders on a Windows 2000 computer that is a member of a
NT4.0 domain. The recovery agent would by default be the built in local
administrator account on the Windows 2000 computer. You can use the Efsinfo
tool to verify this. Without a domain recovery agent your users need to be
very careful about backing up their EFS private keys or they may loose
permanent access to their EFS files. If you reinstall an operating system
without having backed up private keys the data will be lost. Be sure to read
the link below for EFS best practices if you have not seen it yet. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316