Skip to main content

AD Bitlocker Recovery with Quest tools

It has been a while since I have posted anything, mainly due to changing jobs and the time spent with my ever growing family.  This is not to say that I have not been keeping up with scripting development...far from it!

I had an interesting one today where a request came in for the following :
“I need the bitlocker recovery password for a deleted computer object”
As my current environment does not support the AD cmdlets, I looked to the quest tool set and was pleasantly surprised. Here is what I came up with, commented in line...

#for easy editing, define the computername that has been deleted

$compname = "ABC12345"

#search AD including Deleted objects (-tombstone) for recovery information objects and filter where the last known parent contains the computer name. Then just return the password
$recoverykey = Get-QADObject -Tombstone -Type "msFVE-RecoveryInformation" -SizeLimit 0 -Includedproperties msFVE-RecoveryPassword -SearchRoot "CN=Deleted Objects,DC=domain,DC=com" | ? {$_.lastknownparent -like "*$compname*"} | select msFVE-RecoveryPassword

#display the password
$recoverykey
Please note that you do need to be Domain Admin (or equivalent) to be able to read the Deleted Objects Container.

I will try to post a few more things soon as I have been doing some quite interesting stuff!

cheers

Adam
Labels:

Comments

  1. AnonymousDecember 8, 2010 at 10:35 PM

    Interested in why the recovery password was needed for a computer account that had been deleted?

    ReplyDelete
  2. Adam StoneDecember 14, 2010 at 11:20 PM

    If a computer object is removed by accident and the hard drive is still encrypted, you would need the recovery key to boot the PC.

    ReplyDelete
  3. AnonymousJune 22, 2011 at 11:53 PM

    I've changed the OU to get the recovery password for an active computer but I am not getting anything printed. Any idea?

    ReplyDelete
  4. AnonymousJuly 1, 2011 at 2:45 AM

    the {$_.lastknownparent -like "*$compname*"} will not work for a live computer account.

    you can use {$_.ParentContainer -like "*$compname*"} but a more efficient way for a single computer object would be to set the searchroot to the computer object DN. eg :
    -searchroot "cn=$compname,ou=compOU,dc=domain,dc=com".

    regards

    Adam

    ReplyDelete

Post a Comment

Popular posts from this blog

Enable Powershell Remoting (WinRM) via Group Policy

I have been doing some testing on enabling WinRM via group policy, being that WinRM is the service that Powershell v2 sets up it remoting capabilities. Here are the GPO settings that you need to configure WinRM .... set the winrm service to auto start Computer Configuration \ Policies \ Windows Settings \ Security Settings \ System Services Windows Remote Management (WS-Management)  set Startup Mode to Automatic start the service incorporated in to the above - you may need a restart. create a winrm listener Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service / Allow automatic configuration of listeners IPv4 filter: * * is listen on all addresses, or if you only want a particular IP address to respond use an iprange eg 10.1.1.1-10.1.1.254 - don't forget that this IP range has to be valid for all hosts that fall in the scope of the GPO you are creating.  You can use 1...
2 comments
Read more

Assigning Permissions - AGDLP

AGDLP It seems I have been mildly distracted away from the title of this blog site.   It does say AD Admin, but I seem to have been taken away by file system stuff.   I have to say, it has all been worthwhile, but it’s probably time I got back to the real heart of what I do. There are probably a million permission assigning advice pages, but I thought I would put another one out there after referring to AGDLP in my last post. So, what is this all about – AGDLP.   Well, it is something I learned in my MCSE 2003 studies and has become ingrained into my ideals since.   As a contractor, I get to move job often.   This enables me to forge opinions on how to configure things in a domain, and more importantly how NOT to configure things. AGDLP is definitely on the to do list…for anyone in any size domain or forest, as it follows some very basic principals.   I will explain these whilst I go through what AGDPL stands for. A A is for...
2 comments
Read more

Finding out what 'SearchFlags' are set on you AD attributes

Whilst doing some research into indexed attributes, I posted this  a while back on how to find your index attributes.  Since then, I have looked a little deeper into what indexing really means and found this excellent explanation on the numbers that can be found in the searchflags attribute of a schema object. Using Florian’s reference, I built the following script (which is both powershell v1 and v2 compatible) to get the schema attributes from the forest schema and return (among other things) the breakdown of your attributes search flags. $forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest() $schema = [ADSI]('LDAP://CN=Schema,CN=Configuration,dc=' + ($($forest).name -replace "[.]",",dc=")) $attributes = $schema.psbase.children | where {$_.objectClass -eq "attributeSchema"} $collection = @() foreach ($attr in $attributes){ $store = "" | select "Name","lDAPDisplayName","singlev...
2 comments
Read more