Viewing BitLocker recovery passwords
Active Roles allows you to locate and view BitLocker recovery passwords that are stored in Active Directory. This tool helps to recover data on a drive that has been encrypted by using BitLocker. You can examine a computer object’s property pages to view the corresponding BitLocker recovery passwords. Additionally, you can perform a domain-wide search for a BitLocker recovery password.
Administrators can configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives to Active Directory. Recovery information includes the recovery password for each BitLocker-protected drive, and the information required to identify which computers and drives the recovery information applies to. Backing up recovery passwords for BitLocker-protected drives allows administrators to recover the drive if it is locked, thereby ensuring that authorized persons can always access encrypted data belonging to the enterprise.
To view BitLocker recovery passwords, you must have been granted the appropriate permissions in Active Roles. The following Access Template provides sufficient permissions to view BitLocker recovery passwords:
- Computer Objects - View BitLocker Recovery Keys
- In addition, viewing BitLocker recovery passwords in a given Active Directory domain requires the following:
- The domain must be configured to store BitLocker recovery information (see “Backing Up BitLocker and TPM Recovery Information to AD DS” at http://technet.microsoft.com/en-us/library/dd875529.aspx).
- The computers protected by BitLocker must be joined to the domain.
- BitLocker Drive Encryption must have been enabled on the computers.
Steps for viewing BitLocker recovery passwords
The following procedures describe the most common tasks that apply to locating and viewing BitLocker recovery passwords.
To view the BitLocker recovery passwords for a computer
- In the Active Roles console, locate the desired computer object.
- Right-click the computer object, and then click Properties.
- In the Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the computer you’ve selected.
To copy the BitLocker recovery password for a computer
- Follow the steps in the previous procedure to view the BitLocker recovery passwords.
- On the BitLocker Recovery tab of the Properties dialog box, perform the following steps:
- In the BitLocker Recovery Passwords list, click the desired password ID.
- Right-click in the Details box, click Select All, and then click Copy.
- Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
You can use the Active Roles Web Interface to view the BitLocker recovery passwords for a computer: Select the computer object and then choose the BitLocker Recovery command.
To locate a BitLocker recovery password
- In the Active Roles console or Web Interface, select the domain object, and then choose the Find BitLocker Recovery Password command.
- On the Find BitLocker Recovery Password page, type the first eight characters of the BitLocker recovery key identification in the Password ID (first 8 characters) box, and then click Search.
You can also search for a BitLocker recovery password in all managed domains by choosing the Find BitLocker Recovery Password command on the Active Directory node in the Active Roles console or Web Interface.
Organizational Unit Management
About Organizational Units
Organizational Units (OUs) are containers in Active Directory. OUs can contain user accounts, groups, computer accounts, and other OUs. An object can be included in only one OU.
When you expand the Active Directory node in the Active Roles console, the console tree displays icons representing domains. You can double-click a domain icon to see containers that are defined in the domain. OUs are marked with the following icon:
When you select an OU in the console tree, the details pane lists objects included in the OU, and the Action menu provides commands to create new objects in the OU, search for objects in the OU, and manage OU properties.
The following section guides you through the Active Roles console to manage Organizational Units. You can also use the Active Roles Web Interface to perform management tasks on Organizational Units.