When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group. Adding Read permissions to the Recovery Information objects does not enable other groups to read the BitLocker recovery passwords from Active Directory.
When Windows stores BitLocker Recovery information in Active Directory, it is storing confidential information in the directory as clear text. At the time Active Directory was developed by Microsoft, the only way to hide information from member users in AD was by encrypting that information. In order to hide the BitLocker Recovery Passwords from ‘ordinary’ users in AD, Microsoft introduced a new feature in Active Directory. With Service Pack 1 for Windows Server 2003, Microsoft added the ‘confidentiality bit’ to the searchFlags attribute in the Active Directory Schema. All objects created with the Confidentiality bit set to 1, are only available for users who have full control access to that object. These objects are hidden for other users in Active Directory.BitLocker stores objects of the type MSFVE-RecoveryInformation in Active Directory with the confidentiality bit set to 1. This way, these objects only show for users who have Full Control access to these objects. By default Domain Administrators have Full Control access to all objects in Active Directory.
In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users. This can be done by a member of the Domain Administrators group using the Delegation of Control Wizard in the Active Directory Users & Computer console (DSA.MSC).
Use the following procedure to enable access to BitLocker Recovery Information on the Domain level to a group named “BitLocker Admins” in Active Directory:
- In ActiveDirectory Users & Computers, right click the domain name and select Delegate Control…
- In the first dialog of the Delegation of Control Wizard, click Next
- In the Users or Groups dialog, add the group or users for delegation (ie. BitLocker Admins) to the list and click Next
- In the Tasks to Delegate dialog, select Create a custom task to delegate and click Next
- In the Active Directory Object Type dialog, select Only the following objects in the folder.
- In the list select msFVE-RecoveryInformation objects and click Next
Now members of the BitLocker Admins group that are not a member of Domain Admins can read BitLocker Recovery Information in Active Directory.