In Notes 4.x, the Escrow Agent allows the administrator to have copies of user ID's, server ID's, and certifier ID's copied to a database automatically whenever you register someone, a server or create a certifier. It also stores the password (encrypted) in the document as well.
1) Create a new person called "ID Repository" or something more descriptive.
2) Modify the NAB person document (ID Repository) "user name" field and append "Escrow Agent" to the field.
3) Restart the server.
4) Set the "ID Repository" mail file to have multiple passwords (so two administrators need to be present to open the mail file).
5) When you create user ID's, be sure to set the password to something obnoxious to type in (not something obvious like "password" so the user will change it.
6) Remind the user that if they create new encryption keys, they should give you back a copy of their ID file with a known password if they want a backup made because the escrowed ID will not have these new keys.