A data recovery agent (DRA) is a Microsoft Windows user who has been granted the right to decrypt data that was encrypted by other users. The assignment of DRA rights to an approved individual provides an IT department with a way to unlock encrypted data in case of an emergency.
Data Recovery Agents can be defined at the domain, site, organizational unit or local machine level. In a small to mid-sized business, the network administrator is often the designated DRA.
In very simple terms, here is how it works: The network administrator uses Microsoft Windows Group Policy in Active Directory to assign everyone a public key for encryption and their own personal private key for decryption. This ensures that users can only decrypt the content that they have created -- and no one else's. The data recovery agent, however, is assigned a private key capable of unlocking all content encrypted with the public key.
In Windows 2000, the local administrator is the default DRA . In Windows XP Professional, Windows 7, Windows Server 2003 and Windows Server 2008 R2, there is no default DRA. Instead, the administrator must generate a recovery agent certificate which grants the user permission to access the encrypted resources. If the recovery agent certificate is created after the encryption of the resource, however, the resource cannot be decrypted by the DRA.