In the context of a Change Workflow, since the BitLocker leaf object has its own object class and separate permissions, a delegated admin may not have the necessary access to perform a Delete operation on the leaf object.
In the context of a Change Workflow, Active Roles will only perform one "Delete" operation per Delete activity, by design.
When working with a Change Workflow
Creating a template with the following permissions for a Global Security Group was found to allow users in that group the ability to delete a computer object with a BitLocker subtree/leaf object.
- Delete tree – All classes -> this checked Delete subtree and others for This object and all descendant objects under Security/Advanced/Special
- Delete All Child Objects – All classes -> this checked Delete msFVE-RecoveryInformation objects, Delete all child objects and others for This object and all descendant objects under Security/Advanced/Special
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center