none
AD - Delegate bitlocker read permisssions to helpdesk per OU RRS feed

  • Question

  • How could I delegate permissions per OU for bitlocker attributes?

    I have tried this:

    dsacls.exe "OU=Computers,$OrganizationalUnitDN" /$prefixlocation-$type":RP;msTPM-OwnerInformation;Computer" /I:S
    dsacls.exe "OU=Computers,$OrganizationalUnitDN" /$prefixlocation-$type":RP;msFVE-KeyPackage;msFVE-RecoveryInformation" /I:S
    dsacls.exe "OU=Computers,$OrganizationalUnitDN" /$prefixlocation-$type":RP;msFVE-RecoveryPassword;msFVE-RecoveryInformation" /I:S
    dsacls.exe "OU=Computers,$OrganizationalUnitDN" /$prefixlocation-$type":CA;msTPM-OwnerInformation;Computer" /I:S
    dsacls.exe "OU=Computers,$OrganizationalUnitDN" /$prefixlocation-$type":CA;msFVE-KeyPackage;msFVE-RecoveryInformation" /I:S
    dsacls.exe "OU=Computers,$OrganizationalUnitDN" /$prefixlocation-$type":CA;msFVE-RecoveryPassword;msFVE-RecoveryInformation" /I:S

    Friday, September 20, 2019 11:58 AM

All replies

  • Hi,

    Thanks for posting in our forum.

    Based on my research, I will suggest you use Delegation of Control Wizard and filling with the following parameters to see if it could achieve your needs:

    1. Right-click one OU to open Delegation of Control Wizard.
    2. Select users or groups in Users or Groups dialog.
    3. In the "Tasks to Delegate" dialog, choose "Create a custom task to delegate".
    4. In the "Active Directory Object Type" dialog, choose "Only the following objects in the folder", then check "msTPM-InformationObject objects" and "msFVE-RecoveryInformation objects".
    5. In the "Permissions" dialog, check "Read all properties".

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 23, 2019 7:54 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    William

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 25, 2019 7:03 AM
  • William, your research seems flawed to me.

    The recovery keys are protected with a special measure: the so-called confidentiality bit (read https://blog.nextxpert.com/2011/01/11/how-to-delegate-access-to-bitlocker-recovery-information-in-active-directory/ where its says "All objects created with the Confidentiality bit set to 1, are only available for users, who have full control access to that object. These objects are hidden for other users in Active Directory"

    In other words: read-permissions cannot be used here, since granting those has NO effect at all without the confidentiality bit.

    The correct way to assign read-permissions is described here (use browser translation features): https://administrator.de/wissen/besserer-weg-delegation-control-bitlocker-recoverykeys-491520.html

    Wednesday, September 25, 2019 6:38 PM
  • Hi Bagitman,

    Thanks for your sharing.

    Due to I'm not familiar with Bitlocker, so I have followed Yps22's command and give the suggestion above.

    Hope our suggestion could help YPS22 solve his issue.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 27, 2019 9:53 AM
  • yps22, find my lengthy article that covers it here: https://www.experts-exchange.com/articles/33769/Delegation-of-access-to-Bitlocker-Recovery-Passwords-this-way-please.html (I translated my article in the german forum and extended it by using more screenshots).
    Monday, September 30, 2019 7:28 AM