Ondřej Doležal
asked on
Bitlocker recovery information retrievement
Hello,
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.
All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)
Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
WScript.echo
WScript.Echo "Accessing object: " + strPathToComputer & " to compare found ID and PWD with Active Directory"
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
' -------------------------- ---------- ---------- ---------- ---------- ---------- ----
' Get all BitLocker recovery information from the Active Directory computer object
' -------------------------- ---------- ---------- ---------- ---------- ---------- ---
' Get all the recovery information child objects of the computer object
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
wscript.echo err
objFveInfos.Filter = Array("msFVE-RecoveryInfor mation")
' Iterate through each recovery information object
For Each objFveInfo in objFveInfos
strName = objFveInfo.Get("name")
strRecoveryGuidOctet = objFveInfo.Get("msFVE-Reco veryGuid")
strRecoveryGuid = ConvertOctetGuidToHexStrin g (strRecoveryGuidOctet)
strRecoveryPassword = objFveInfo.Get("msFVE-Reco veryPasswo rd")
WScript.echo
WScript.echo "name: " + strName
WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
WScript.echo "msFVE-RecoveryPassword: " + strRecoveryPassword
If len(strRecoveryGuid) <> 38 Then
WScript.echo "WARNING: '" & strRecoveryGuid & "' does not appear to be a valid GUID."
End If
If strRecoveryGuid = vKeyProtectorID Then
If strRecoveryPassword = numPWD Then
wscript.echo "Correct ID And PWD found"
Wscript.Quit 0
End If
End If
Next
Seems that objFveInfos is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.
All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)
Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
WScript.echo
WScript.Echo "Accessing object: " + strPathToComputer & " to compare found ID and PWD with Active Directory"
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
' --------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' --------------------------
' Get all the recovery information child objects of the computer object
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
wscript.echo err
objFveInfos.Filter = Array("msFVE-RecoveryInfor
' Iterate through each recovery information object
For Each objFveInfo in objFveInfos
strName = objFveInfo.Get("name")
strRecoveryGuidOctet = objFveInfo.Get("msFVE-Reco
strRecoveryGuid = ConvertOctetGuidToHexStrin
strRecoveryPassword = objFveInfo.Get("msFVE-Reco
WScript.echo
WScript.echo "name: " + strName
WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
WScript.echo "msFVE-RecoveryPassword: " + strRecoveryPassword
If len(strRecoveryGuid) <> 38 Then
WScript.echo "WARNING: '" & strRecoveryGuid & "' does not appear to be a valid GUID."
End If
If strRecoveryGuid = vKeyProtectorID Then
If strRecoveryPassword = numPWD Then
wscript.echo "Correct ID And PWD found"
Wscript.Quit 0
End If
End If
Next
Seems that objFveInfos is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
A rather special question. May I ask why you wrote this? When I need recovery info, I take it right from the Bitlocker tab of the computer object,
ASKER
we are preparing an automated script which will compare current Bitlocker Numerical password against AD and if it will not match it will inform us.
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
Please look into this guide:
BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA
in the section - Appendix A: Delegating Permission you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA
in the section - Appendix A: Delegating Permission you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
ASKER
As I wrote, delegation is set. We are using a AD group which can access these information and users from this group can use the script while Computers (members of the same group) don't.
I would choose a different, easier route to ensure the keys are backed up to AD: simply use a startup script (manage-bde...) to back them up again. You could write to a file if that somehow fails.
ASKER
This is also possibility but we prefer to save Recovery keys only if they don't match, that's why we are trying to develop a compare script and we posted this question as we are facing above problem
In other words, you want a challenge, not a quick solution...? Ok.
Then I would use manage-bde again (batch) and not vbscript.
Then I would use manage-bde again (batch) and not vbscript.
ASKER
Yes, no need quick solution, but solution which will lead to our goal - compare stored Recovery key with actual one on the PCs.
Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Great.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
ASKER
Active Directory Right delegation replication took longer than expected. Now our script works well under SYSTEM account