Hello Guys,
We started the work to clean up users from the privileged groups
like “Domain Admins and Enterprises Admins” group.
Yes, it’s good idea to have only limited persons only on
these groups. But lots of users who are removed from these groups started
complaining that they lots their access to the shares, bit-locker key retrieval and
unable to do basic tasks like password reset, unlock account and group membership
changes.
So, as first step we granted the share and delegated rights for basic tasks, but I was only stuck with granting rights to Bit-Locker password key retrieval.
Have setup the Delegation of wizard at domain level to the particular group and granted the rights to Read permission to the ms-FVE-Recoveryinformaiton objects.
How to grant rights through Delegation wizard ?
1) Start the Delegation wizard at domain level
2) Select the Bit-Locker Support group
3) Select create custom task to delegate
4) Select the "msFVE-RecoveryInformation" in the "Only the following objects in the folder"
5) Select the "Read all properties"
6) Finish the Delegation wizard.
Now add the users required desktop admins to the Bit-Locker support group
Ask them to install RSAT tools for AD and Bit-locker support tools on their management system
Now, they should be able to view the Bit-Locker password information after launching the DSA.msc console. New tab should be visible in the console
Note: You may noticed that there are no items in this view in the below snapshot, but it's ok because it's my test machine where Bit-locker is not installed.
