Just in case you missed it.. some coolness from the bitlocker team to make your life easier.
"The BitLocker Recovery Password Viewer lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a volume that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers MMC snap-in. After you install this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. "
edit - added the link to this post as I forgot to do it earlier.
Is there a way to configure a group of users to be recovery agents for bitlocker? I can grant read rights but I am still unable to read the recovery password unless I am an Domain Admin.
Could it be the confidentiality flag?
I haven't had a chance to test yet , but yes I believe it related to the confidential attribute. Try to grant the users who need to view the attribute’s value CONTROL_ACCESS on the specific objects they need to view. By default administrators have CONTROL_ACCESS
You also need READ property