How to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool to view recovery passwords for Windows Vista

This article describes how to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. The BitLocker Drive Encryption feature is a data protection feature that is included with the following versions of Windows Vista:

• Windows Vista Ultimate
• Windows Vista Enterprise

You can use this tool to help locate BitLocker Drive Encryption recovery passwords for Windows Vista-based computers in Active Directory Domain Services (AD DS). The Active Directory Users and Computers Microsoft Management Console (MMC) snap-in must be installed via the Remote Server Administrator Tools (RSAT).

For more information about RSAT tools, click the following article number to view the article in the Microsoft Knowledge Base:

For more information about how to obtain and use the bitlock repair tool, click the following article number to view the article in the Microsoft Knowledge Base:

Overview

The BitLocker Recovery Password Viewer lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a volume that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers MMC snap-in. After you install this tool, you can examine the Properties dialog box of a computer object to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest (multiple domains) .

Before you can use the BitLocker Recovery Password Viewer tool to view BitLocker recovery passwords, the following conditions must be true:

• The domain must be configured to store BitLocker recovery information.
• Windows Vista-based computers must be joined to the domain.
• BitLocker Drive Encryption must have been enabled on the Windows Vista-based computers.

For more information about how to configure BitLocker, visit the following Microsoft Web sites:Also, we recommend that you understand how to use BitLocker recovery passwords to unlock an encrypted volume. For more information about how to use BitLocker, visit the following Microsoft Web site:

How to obtain the BitLocker Recovery Password Viewer tool

How to obtain the BitLocker Recovery Password Viewer tool for Windows Vista Enterprise, for Windows Vista Enterprise Service Pack 1, and for Windows Server 2008

If you are using Windows Vista Enterprise or Windows Server 2008, visit the following Microsoft Web site to obtain this tool:

How to obtain the BitLocker Recovery Password Viewer tool for Windows Vista

To install the BitLocker Recovery Password Viewer tool on a Windows XP-based computer, you must first install the latest version of the Windows Server 2003 Administration Tools. To obtain this program, visit the following Microsoft Web site:

Installation rights for the BitLocker Recovery Password Viewer tool

To install the BitLocker Recovery Password Viewer tool successfully, the installation program must update the Active Directory configuration database.

The installation program adds the following two attributes to AD DS if these two attributes are not already present.Note These tables use the following values:

• Password Viewer's GUID is 2FB1B669-59EA-4F64-B728-05309F2C11C8.
• LanguageID for English is 409. The installation program updates all language IDs to let you run the BitLocker Recovery Password Viewer tool under all available languages.

These changes to AD DS affect every domain in the forest. You must have Enterprise Administrator rights to modify the Active Directory configuration database. However, after the BitLocker Recovery Password Viewer tool has been installed in a forest, you only have to have Read permissions to the Active Directory configuration database for later installations of the BitLocker Recovery Password Viewer tool. By default, all domain users have Read permissions for the Active Directory configuration database.

To summarize, you must have the following rights to install the BitLocker Recovery Password Viewer tool:

• When you first install the BitLocker Recovery Password Viewer tool, you must have Enterprise Administrator rights. These rights let you modify the Active Directory configuration database.
• When you next install the BitLocker Recovery Password Viewer tool, you must have the rights of a domain user together with local Administrator rights to the computer on which you want to install the BitLocker Recovery Password Viewer tool.

Registry information

Before you run this tool on the domain for the first time, run the following command from your Windows system folder as an Enterprise Administrator: When you later use the tool on the domain, you will not have to run Regsvr32.exe.

Installation troubleshooting information

The installation rights are the same for Windows XP and Windows Vista. Use the following information to help troubleshoot installation error messages that you may receive when you install the BitLocker Recovery Password Viewer tool:

Error message 1You receive this error message if you installed the Windows XP version of the BitLocker Recovery Password Viewer tool on a Windows Vista-based computer. You must install the Windows Vista-based version of the tool on Windows Vista-based computers.

Error message 2You receive this error message if you do not have sufficient rights to install the BitLocker Recovery Password Viewer tool on a Windows XP-based computer. You must have local Administrator rights to install this tool.

Error message 3You receive this error message if one of the following conditions is true:

• The computer is not connected to the network, or the computer cannot communicate with the domain.
• You are not logged on to the computer as a domain user.

Error message 4You may receive this error message when you try to install the first instance of the BitLocker Recovery Password Viewer tool in a forest. For the first installation of this tool, you must have Read and Write permissions to the computer-Display object and to the domainDNS-Display object in AD DS. Also, you must have Read and Write permissions to the parent containers of these objects in the Active Directory configuration database. By default, members of the Enterprise Administrators group have Read and Write permissions to these objects.

Error message 5You may receive this error message when you try to perform a second or later installation of the BitLocker Recovery Password Viewer tool in a domain. To perform a second or later installation of this tool, you must have at least Read permissions to the computer-Display object and to the domainDNS-Display object in AD DS. Also, you must have at least Read permissions to the parent containers of these objects in the Active Directory configuration database.

To remove the BitLocker Recovery Password Viewer tool

To remove the Bitlocker Recovery tool, follow these steps:

1. Click Start, click Run, type appwiz.cpl, and then click OK.
2. In the Add or Remove Programs dialog box, click to select the Show updates check box.
3. In the Currently installed programs list, click BitLocker Recovery Password Viewer (for Active Directory Users and Computers), and then click Remove.
4. If you receive a message that states that other programs may not run correctly if you remove this update, click Yes to confirm the removal of this update.
   
   Note The removal of the BitLocker Recovery Password Viewer tool does not prevent other programs from running correctly.
5. Follow the remaining steps in the wizard to remove the BitLocker Recovery Password Viewer tool.

Usage information

The BitLocker Recovery Password Viewer tool extends the Active Directory Users and Computers MMC snap-in. To start Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.

The following information describes how to use the BitLocker Recovery Password Viewer tool.

To view the recovery passwords for a computer

1. In Active Directory Users and Computers, locate and then click the container in which the computer is located. For example, click the Computers container.
   
   For more information about how to locate a computer account, visit the following Microsoft Web site:
   http://www.microsoft.com/technet/scriptcenter/scripts/ds/local/users/default.mspx (http://www.microsoft.com/technet/scriptcenter/scripts/ds/local/users/default.mspx)
   For more information about how to create a saved query, visit the following Microsoft Web site:
   http://technet.microsoft.com/en-us/library/cc757566.aspx (http://technet.microsoft.com/en-us/library/cc757566.aspx)
2. Right-click the computer object, and then click Properties.
3. In the ComputerName Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the particular computer.

To copy the recovery passwords for a computer

1. Follow the steps in the "To view the recovery passwords for a computer" section to view the BitLocker recovery passwords.
2. On the BitLocker Recovery tab of the ComputerName Properties dialog box, right-click the BitLocker recovery password that you want to copy, and then click Copy Details.
3. Paste the copied text to a destination location.

To locate a recovery password

1. In Active Directory Users and Computers, right-click the domain container, and then click Find BitLocker Recovery Password.
2. In the Find BitLocker Recovery Password dialog box, type the first eight characters of the recovery password in the Password ID (first 8 characters) box, and then click Search.

Frequently asked questions about the BitLocker Recovery Password Viewer tool

Q1: How can the BitLocker Recovery Password Viewer tool help unlock an encrypted volume?

A1: When you start the computer to the BitLocker Recovery screen, Windows Vista gives you a drive label and a password ID. You can use this information together with the BitLocker Recovery Password Viewer tool to locate the matching BitLocker recovery password that is stored in AD DS.

Q2: Can anybody use the BitLocker Recovery Password Viewer tool to locate recovery passwords?

A2: No. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.

If a user who does not have sufficient rights installs the BitLocker Recovery Password Viewer tool, that user cannot locate any recovery passwords for any computer. Also, if you use the BitLocker Recovery Password Viewer tool to search for recovery passwords among all the domains in a forest, results are returned only from the domains in which you have sufficient rights.

Note The BitLocker Recovery Password Viewer tool cannot distinguish between a situation in which no recovery passwords exist for a particular computer and a situation in which you do not have sufficient rights to view the recovery password for a particular computer.

Q3: What if a stored recovery password does not appear on the "BitLocker Recovery" tab of a computer's "ComputerName Properties" dialog box?

A3: Usually, the BitLocker recovery passwords for a particular computer appear on the BitLocker Recovery tab of the ComputerName Properties dialog box for that computer. However, if a computer is renamed, you may be unable to locate the correct computer. This is because the drive label information still contains the original computer name. In this situation, you must use the password ID information to search for the recovery password.

Q4: Why are only the first eight characters of the password ID used to search for the location of a recovery password?

A4: This is a design decision that is intended to help simplify searching for recovery passwords without sacrificing the accuracy of the search operation. Tests that randomly generated over one million password IDs typically yielded only 100 duplicates for the first eight characters of the password ID. Therefore, even if you have one million recovery passwords in a search domain, it is unlikely that two recovery passwords will be returned by a single search operation. Additionally, it is even more unlikely that more than two recovery passwords will be returned in the same search.

Note We recommend that you examine the returned recovery password to make sure that it matches the whole password ID that you used to perform the search. This is to verify that you have obtained the unique recovery password.

Q5: How long does it take to search for a recovery password across all domains?

A5: Generally, it takes no more than several seconds to search for a password ID across all the domains of a forest. However, you may experience decreased performance if the following conditions are true:

• A global catalog server locates a recovery password in a domain.
• The global catalog server cannot connect to that particular domain.

Q6: How do I troubleshoot problems that I may experience when I use the BitLocker Recovery Password Viewer tool?

A6: Use the following information to help troubleshoot issues that you experience when you use the BitLocker Recovery Password Viewer tool:

• If you cannot locate a recovery password when you expect to locate one, verify that you have sufficient rights to view recovery passwords.
• If you receive a "Cannot retrieve recovery password information" error message when you search for a recovery password, verify that the global catalog servers and other domain controllers can communicate correctly.