An object of type “msFVE-RecoveryInformation” is created for every encrypted volume and is stored as a sub-object of the computers object where the volume was encrypted. Simply granting “read” access to these attributes will not allow a user to read the information in these attributes. A user who wants to read the attribute must also have an Access Mask for “Control_Access”. This is a special type
![Delegating access in AD to BitLocker recovery information](https://cdn-ak-scissors.b.st-hatena.com/image/square/d6e4cb632c7025e9f5e05fd314fbf6dcd6144e8d/height=288;version=1;width=512/https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fmedia%2Fopen-graph-image.png)