{"id":346,"date":"2026-04-01T11:19:53","date_gmt":"2026-04-01T10:19:53","guid":{"rendered":"https:\/\/overlaps.co.uk\/docs\/?page_id=346"},"modified":"2026-04-01T11:37:54","modified_gmt":"2026-04-01T10:37:54","slug":"bitlocker-recovery-key-permissions","status":"publish","type":"page","link":"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/installation-and-configuration\/active-directory\/bitlocker-recovery-key-permissions\/","title":{"rendered":"Bitlocker Recovery Key Permissions"},"content":{"rendered":"\n

If you wish to make use of the ability to retrieve Bitlocker Recovery Keys from Active Directory then the OVERLAPS server must be granted permission to read them.<\/p>\n\n\n\n

Bitlocker Keys make use of the Active Directory Confidentiality bit<\/strong>, which is designed to limit visibility of the object or property to only users who have full control access to that object<\/strong>.<\/p>\n\n\n\n

There are two ways to grant access to view this data: the quick, easy and arguably less secure way, and the more in-depth but ultimately more secure way. If you are in any doubt as to which method is best for you, or if you require more information, it is recommended to consult official Microsoft’s documentation on the topic.<\/p>\n\n\n\n

The Quick Way<\/h2>\n\n\n\n

The quick way involves granting OVERLAPS full delegate rights to an Active Directory container in which the Bitlocker secured computers are located.<\/p>\n\n\n\n

    \n
  1. Right click the Organizational Unit or Container and click Delegate Control<\/strong>
    \"Delegate<\/li>\n\n\n\n
  2. This launches the Delegation Control Wizard
    \"Delegation<\/li>\n\n\n\n
  3. Click Add<\/strong> and add the OVERLAPS server (if you can’t find it, click Object Types and make sure Computers is checked). Note that if you’re using a Service Account in the Active Directory settings (see Settings – Active Directory<\/a>), then enter that account instead.
    \"Add<\/li>\n\n\n\n
  4. Click OK<\/strong> to add the server to the Users or Groups list, click Next<\/strong>
    \"User\/Group\/Computer<\/li>\n\n\n\n
  5. Select Create a custom task to delegate<\/strong>
    \"Create<\/li>\n\n\n\n
  6. Select Only the following objects in the folder<\/strong>, then check msFVE-RecoveryInformation objects<\/strong>, then click Next<\/strong>
    \"Delegate<\/li>\n\n\n\n
  7. Select the Full Control<\/strong> checkbox, then click Next<\/strong>
    \"Grant<\/li>\n<\/ol>\n\n\n\n

    The More Secure Way<\/h2>\n\n\n\n

    More advanced control over access to the Bitlocker Recovery Key object can be achieved using Microsoft’s Ldp.exe tool. This involves directly editing the ACL Security Descriptor on an OU and can lead to unexpected results, this should only be carried out by an experienced person who is confident in what they are doing.<\/p>\n\n\n\n

    The basic logic is that any property or object with the Confidentiality bit set requires a user with the “Control Access” permission to access it. The only way to achieve this when editing an OU’s permissions normally is by granting Full Control to it. This unfortunately necessitates giving up far more control over the container\/object than is actually necessary though. However, by setting an Access Control Entry (ACE) manually through Ldp.exe, you can specify only the permissions you actually need. The steps to achieve this are shown below.<\/p>\n\n\n\n