When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group. Adding Read permissions to the Recovery Information objects does not enable other groups to read the BitLocker recovery passwords from Active Directory.
In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users. This can be done by a member of the Domain Administrators group using the Delegation of Control Wizard in the Active Directory Users & Computer console (DSA.MSC).
Use the following procedure to enable access to BitLocker Recovery Information on the Domain level to a group named “BitLocker Admins” in Active Directory:
- In ActiveDirectory Users & Computers, right click the domain name and select Delegate Control…
- In the first dialog of the Delegation of Control Wizard, click Next
- In the Users or Groups dialog, add the group or users for delegation (ie. BitLocker Admins) to the list and click Next
- In the Tasks to Delegate dialog, select Create a custom task to delegate and click Next.
- In the Active Directory Object Type dialog, select Only the following objects in the folder.
- In the list select msFVE-RecoveryInformation objects and click Next
- In the Permissions dialog, select Full Control under Permissions and click Next
- Click Finish
Now members of the BitLocker Admins group that are not a member of Domain Admins can read BitLocker Recovery Information in Active Directory.