So you need to give a group of users the ability to use BitLocker Recovery Password Viewer in AD Users & Computers without them being Domain Admin?
From TechNet: To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
Hmm, ok how do I delegate permissions?
- Create a security group called BitLocker Recovery Password Viewer.
- Add members to the group (for example, add Helpdesk staff members).
- Create another security group called BitLocker TPM Owners.
Please Note: To separate the privileges of reading BitLocker and TPM recovery information, create a different user group that can access TPM owner information. Note that Helpdesk personnel who need access to BitLocker recovery passwords will not typically need access to TPM owner information.
- Assign control access and read property permissions to the group. This is done by running the attached scripts.
Please Note: Change the first line of each script if you created a user group with a different name.
- Save each sample script in a VBScript file. For example: DelegateBitLocker.vbs & DelegateBitLockerTPMOwners.vbs.
- Open an elevated Command Prompt window:
- Click the Start button, type cmd, right-click cmd.exe, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- At the command prompt, run the two scripts. Example: cscript DelegateBitLocker.vbs