Bitlocker recovery information retrievement

Hello,
we are using a vbs script (downloaded from Microsoft) to retrieve Recovery information stored in AD.
The script is working well under admin account but not under SYSTEM account.

All rights delegation for Bitlocker are done (AD group where the working admin account is present we put also the computer account/s)

Script:
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer (strComputerName)
 
 WScript.echo
 WScript.Echo "Accessing object: "  + strPathToComputer  & " to compare found ID and PWD with Active Directory"
 
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
 
 
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' -------------------------------------------------------------------------------
 
' Get all the recovery information child objects of the computer object
 
Set objFveInfos = objDSO.OpenDSObject (strPathToComputer, vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING +  ADS_USE_SIGNING)

wscript.echo err
 
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
 
' Iterate through each recovery information object  

      
For Each objFveInfo in objFveInfos
 
      strName = objFveInfo.Get("name")
 
      strRecoveryGuidOctet = objFveInfo.Get("msFVE-RecoveryGuid")
      strRecoveryGuid = ConvertOctetGuidToHexString (strRecoveryGuidOctet)
 
      strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
 
      WScript.echo  
      WScript.echo "name: " + strName  
      WScript.echo "msFVE-RecoveryGuid: " + strRecoveryGuid
      WScript.echo "msFVE-RecoveryPassword: " +  strRecoveryPassword
   
 
      If len(strRecoveryGuid) <> 38 Then
      WScript.echo "WARNING: '" &  strRecoveryGuid & "' does not appear to be a  valid GUID."
                    End If

      If strRecoveryGuid = vKeyProtectorID Then
            If strRecoveryPassword = numPWD Then
                  wscript.echo "Correct ID And PWD found"
                  Wscript.Quit 0
            End If
      End If
Next

Seems that objFveInfos  is empty when script is started under SYSTEM account.
Do you have any idea?
Thanks
LVL 2
glavinfoczAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
A rather special question. May I ask why you wrote this? When I need recovery info, I take it right from the Bitlocker tab of the computer object,
0
glavinfoczAuthor Commented:
we are preparing an automated script which will compare current Bitlocker Numerical password against AD and if it will not match it will inform us.
The script will run via SCCM under SYSTEM account as users don't have access to these objects
And mainly, we met several PC who were encrypted and Recovery information was not stored into AD (probably due to GPO problem)
0
BiniekCommented:
Please look into this guide:

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS
http://technet.microsoft.com/en-us/library/cc771778(WS.10).aspx#BKMK_AppendixA

in the section - Appendix A: Delegating Permission  you will find information how to delegate permissions to users who are not domain administrators and want to read BitLocker recovery passwords
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

glavinfoczAuthor Commented:
As I wrote, delegation is set. We are using a AD group which can access these information and users from this group can use the script while Computers (members of the same group) don't.
0
McKnifeCommented:
I would choose a different, easier route to ensure the keys are backed up to AD: simply use a startup script (manage-bde...) to back them up again. You could write to a file if that somehow fails.
0
glavinfoczAuthor Commented:
This is also possibility but we prefer to save Recovery keys only if they don't match, that's why we are trying to develop a compare script and we posted this question as we are facing above problem
0
McKnifeCommented:
In other words, you want a challenge, not a quick solution...? Ok.
Then I would use manage-bde again (batch) and not vbscript.
0
glavinfoczAuthor Commented:
Yes, no need quick solution, but solution which will lead to our goal - compare stored Recovery key with actual one on the PCs.

Do you have any idea how to query AD for stored recovery key by batch? I know how to obtain pasword and its ID via batch but Im little bit affraid about querying ms-FVE object. DSQuery? or other tool?
0
glavinfoczAuthor Commented:
Today, I realized that it started to work even under SYSTEM account. So, probably only AD replication with rights delegation took little bit longer than expected.
Anyway Thank you for your time and proposals.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Great.
But I still wonder why anyone would care that the keys mismatch instead of simply saving them again correctly.
0
glavinfoczAuthor Commented:
Active Directory Right delegation replication took longer than expected. Now our script works well under SYSTEM account
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.