Hi, Environment: W2K3R2 Native Single Domain, XP, Vista & Win7 clients. We would like to be able to delegate the ability for a group of support users to view the recovery password for machines that have BitLocker encyption enabled and passwords added to those computer account in AD. Domain Admins can do this just fine. But when a support user, who is not a Domain Admin attempts to view the BitLocker Recovery Passwords via the Computer Object>BitLocker Recovery tab in AD, they get the message: "Cannot retrieve recovery password information. Cannot get the password attribute of a recovery password record. Make sure you have sufficient permission to access the recovery password." According to http://support.microsoft.com/kb/928202, FAQ 2, the answer says "To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator." Exactly what permissions must be delegated by a domain administrator to other non-domain admins for accessing the BitLocker recovery password? I have searched quite extensively already but can't seem to find this information out there. Does MS have these delegated permissions documented? And is there a dsacls command we could use to script/document this delegation? Thanks in advance?belpad

Hi, I would like to suggest you refer to the following Microsoft TechNet article and follow Appendix A: Delegating Permission. BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS Hope it is helpful! Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. answer your question. This can be beneficial to other community members reading the thread.

Hi Arthur, Yes, very helpful thanks, that is exactly what we were looking for. Thanks, Paul.belpad