
Drive encryption can help prevent sensitive data in laptops from being stolen. However, if a user forgets his or her password for a computer whose drive is encrypted with a tool such as BitLocker, the prospects for recovering files are much worse than otherwise. Without drive encryption, there are many hacks to recover files without a password, such as booting from an Ubuntu disk. But if the drive is encrypted, you won’t be able to see much once you get in.
To avoid this scenario, it’s wise back up BitLocker recovery information to Active Directory Domain Services (AD DS). That way, as an administrator, you can recover the drive when necessary. This is also helpful in cases where users leave the company suddenly.
To back up BitLocker recovery information with AD DS, your domain controllers must be running at least Windows Server 2003 SP1 or later. The configuration procedures differ depending on the operating system and whether AD DS was set up before or after enabling BitLocker. To read about backing up BitLocker recovery information for Windows 2007 and Windows Server 2008 or earlier, go to this link:
http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
For Windows 8 and Windows Server 2012, follow these instructions:
http://technet.microsoft.com/en-us/library/dn466534.aspx