Even if a local admin (no domain account, but a local account) encrypts a disk, the recovery key will be written to the computer object in AD, if you just enabled the GPOs to automatically backup the key.
BitLocker - non-domain admin abilities to write to AD
Hello,
Working on setting up BitLocker to save the keys to AD, but can't seem to find an answer to my big question. We have non-domain administrators at locations that have been granted delegation rights to their AD OUs. While setting up BitLocker, I created a security group and added these admins to it, delegated them the additional full access rights to msFVE-RecoveryInformation attribute, which gives them rights to see the BitLocker keys in a machine's properties, but can they write the keys to AD when setting up machines?
If they do the command: "manage-bde.exe -on C: -recoverypassword" will the keys be written to AD or does this require domain admin rights?
thanks.
1 additional answer
Sort by: Most helpful
-
SMertz01 21 Reputation points
2021-11-18T13:33:23.95+00:00 Thanks. Did some additional testing and found that to be true.