We use non persistant virtual desktops and when a user logs out their computer object can sometimes be deleted and there is no guarantee that the user would receive the same desktop each time.
We have enabled the BitLocker GPO to allow usb disk encryption and to create a recovery key and store a copy in AD. Lets say a user forgets their password and looses their file based or printed recovery key. Now we have to find the recover key by trying each key from each AD computer object.
Can we modify the AD schema to store the recovery keys in the user object? Is there some other solution?