Delegated Permissions to use BitLocker Recovery Password Viewer

So you need to give a group of users the ability to use BitLocker Recovery Password Viewer in AD Users & Computers without them being Domain Admin?

From TechNet: To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.

Hmm, ok how do I delegate permissions?

  1. Create a security group called BitLocker Recovery Password Viewer.
  2. Add members to the group (for example, add Helpdesk staff members).
  3. Create another security group called BitLocker TPM Owners.

Please Note: To separate the privileges of reading BitLocker and TPM recovery information, create a different user group that can access TPM owner information. Note that Helpdesk personnel who need access to BitLocker recovery passwords will not typically need access to TPM owner information.

  1. Assign control access and read property permissions to the group. This is done by running the attached scripts.

Please Note: Change the first line of each script if you created a user group with a different name.

  1. Save each sample script in a VBScript file. For example: DelegateBitLocker.vbs & DelegateBitLockerTPMOwners.vbs.
  2. Open an elevated Command Prompt window:
  3. Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. At the command prompt, run the two scripts. Example: cscript DelegateBitLocker.vbs
Advertisements