This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Good Day,
i have applied the Delegate Access on a specific group in my AD but it is not affecting the users permission even if i apply on a specific user.
purpose that i want the support team to be able to only see the BitLocker Key stored in the AD, which is pulled by a GPO from the client side.
msFVE-RecoveryInformation objects with Full Control Permissions.
Could anyone support?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 80%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
@Bernard Rizkallah Are you finding a solution? The info in the links being posted here look outdated and incorrect for current versions of Windows Server.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have written an article about an alternate way of delegating access that I prefer: https://www.experts-exchange.com/articles/33769/Delegation-of-access-to-Bitlocker-Recovery-Passwords-this-way-please.html
Please try that.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
You can follow the link below , to delegate a group to read biloker attributs :
Delegate Access to BitLocker Recovery Keys in Active Directory
How to Delegate BitLocker Recovery Information in AD (properly) - Step by Ste
In DSA.msc GUI , ask support team to click on advanced Features and go to Attribut Editor to check if they are able to read Bitlocker attribut:
Please don't forget to mark helpful answer as accepted
i have tried both methods and unfortnately it doesn't work.
to note that in the second method using the LDP, i noticed that i have the following missing from the list and i was not able to add it to the list. "msFVE-RecoveryInformation - class".
is there a way to add this?
Check in your schema if this attribute exists. If it's not the case , you should extend schema :
Active Directory and BitLocker – Part 2: Schema update, ACE settings, Password Recovery Viewer
Please don't forget to mark helpful asnwer as accepted
Did you find a solution? The info Thameur keeps linking to looks outdated and incorrect.
I see the same issue and Server 2012 and newer is supposed to have everything you need enabled in the schema by default.
