How to delegate access to BitLocker Recovery information in Active Directory

 

Symptoms

When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group. Adding Read permissions to the Recovery Information objects does not enable other groups to read the BitLocker recovery passwords from Active Directory.

Cause

When Windows stores BitLocker Recovery information in Active Directory, it is storing confidential information in the directory as clear text. At the time Active Directory was developed by Microsoft, the only way to hide information from member users in AD was by encrypting that information. In order to hide the BitLocker Recovery Passwords from ‘ordinary’ users in AD, Microsoft introduced a new feature in Active Directory. With Service Pack 1 for Windows Server 2003, Microsoft added the ‘confidentiality bit’ to the searchFlags attribute in the Active Directory Schema. All objects created with the Confidentiality bit set to 1, are only available for users who have full control access to that object. These objects are hidden for other users in Active Directory.BitLocker stores objects of the type MSFVE-RecoveryInformation in Active Directory with the confidentiality bit set to 1. This way, these objects only show for users who have Full Control access to these objects. By default Domain Administrators have Full Control access to all objects in Active Directory.

Resolution

In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users. This can be done by a member of the Domain Administrators group using the Delegation of Control Wizard in the Active Directory Users & Computer console (DSA.MSC).

Use the following procedure to enable access to BitLocker Recovery Information on the Domain level to a group named “BitLocker Admins” in Active Directory:

  1. In ActiveDirectory Users & Computers, right click the domain name and select Delegate Control…
  2. In the first dialog of the Delegation of Control Wizard, click Next
  3. In the Users or Groups dialog, add the group or users for delegation (ie. BitLocker Admins) to the list and click Next
    SelectGroup
  4. In the Tasks to Delegate dialog, select Create a custom task to delegate and click NextCreateCustomTaskToDelegate
  5. In the Active Directory Object Type dialog, select Only the following objects in the folder.
  6. In the list select msFVE-RecoveryInformation objects and click Next

DelegateControlofmsFVERecoveryInformation objects

  • In the Permissions dialog, select Full Control under Permissions and click Next
  • DelegatePermissionsFullControl

  • Click Finish
  • Now members of the BitLocker Admins group that are not a member of Domain Admins can read BitLocker Recovery Information in Active Directory.

    More information

    How to mark an attribute as confidential in Windows Server 2003 Service Pack 1

    Advertisements
    This entry was posted in BitLocker, Windows 7. Bookmark the permalink.

    5 Responses to How to delegate access to BitLocker Recovery information in Active Directory

    1. Saiba says:

      it is NOT true that you need Full Access to access the recovery information.
      See http://blogs.technet.com/b/craigf/archive/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information.aspx for more information

      • rayc25 says:

        Saiba, thank you for the link. This information is very recent and the first public documentation about delegation of BitLocker Recovery information by Microsft I have seen.

        As you can see in the article the required ACE can only be set using LDP.exe. I will update the blog shortly with the updated information.

        • Joe says:

          DSA.MSC method with full access is valid? do you know how to use LDP.exe to setup this delegate access?

          Thanks,

    2. Pingback: BitLocker PowerShell Script Backup Encrypted Keys | Ammar Hasayen - I - Blog

    3. Pingback: BitLocker PowerShell Script Backup Encrypted Keys (How and Why) | Ammar Hasayen - Blog

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s