PENDING How to Query AD for BitLocker Details

[juannabis]

Hello,
I want to obtain Bitlocker details from AD, but I need some help ...
This is the script:

$DN = Get-ADComputer $Computer -server florida.personal.urjc.es | Select-Object -ExpandProperty DistinguishedName
$ADobj = Get-ADobject -Filter {objectclass -eq ‘msFVE-RecoveryInformation’} -SearchBase $DN -Properties ‘msFVE-RecoveryPassword’ | Select-Object Name,msFVE-RecoveryPassword

And this is the result:

Get-ADobject : Error parsing query: 'objectclass -eq ‘msFVE-RecoveryInformation’' Error Message: 'syntax error' at position: '17'.
At line:5 char:10
+ $ADobj = Get-ADobject -Filter {objectclass -eq ‘msFVE-RecoveryInforma ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: ) [Get-ADObject], ADFilterParsingException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADObject

What I need to execute this script?

Thank you.

 

[juannabis]

I execute this setence:

Get-ADComputer $objComputer -server $serverName | Get-ADObject -pr * | Select-Object name, msFVE-REcoveryPassword, whencreated

This is my result:

name msFVE-REcoveryPassword whencreated
---- ---------------------- -----------
MP-5CG0326N28 08/02/2022 10:09:55

 

[juannabis]

I execute another script:

$BitLockerObjects=Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation'" -SearchBase $objComputer.distinguishedName -Properties msFVE-RecoveryPassword,whenCreated | Sort whenCreated -Descending | Select -First 1 | Select -ExpandProperty whenCreated

The result:

Get-ADObject : A referral was returned from the server
At line:1 char:19
+ ... ckerObjects=Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInfo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: ) [Get-ADObject], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.GetADObject

Thank you.

 

[Garth]

Hello,
I want to obtain Bitlocker details from AD, but I need some help ...
This is the script:

$DN = Get-ADComputer $Computer -server florida.personal.urjc.es | Select-Object -ExpandProperty DistinguishedName
$ADobj = Get-ADobject -Filter {objectclass -eq ‘msFVE-RecoveryInformation’} -SearchBase $DN -Properties ‘msFVE-RecoveryPassword’ | Select-Object Name,msFVE-RecoveryPassword

And this is the result:

Get-ADobject : Error parsing query: 'objectclass -eq ‘msFVE-RecoveryInformation’' Error Message: 'syntax error' at position: '17'.
At line:5 char:10
+ $ADobj = Get-ADobject -Filter {objectclass -eq ‘msFVE-RecoveryInforma ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: ) [Get-ADObject], ADFilterParsingException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADObject

What I need to execute this script?

Thank you.

Try this https://askgarth.com/blog/how-to-query-ad-for-bitlocker-details/

 

[juannabis]

Hello,
I tryied your post, but I think I need more permission in my AD, is it possible? Or I need any configuration ... I don't know.
Thank you.

 

[juannabis]

$DN = Get-ADComputer $Computer -server $servidorName | Select-Object -ExpandProperty DistinguishedName

$ADobj = Get-ADobject -Filter {objectclass -eq ‘ms-FVE-RecoveryInformation’} -SearchBase $DN -Properties ‘ms-FVE-RecoveryPassword’ | Select-Object Name, msFVE-RecoveryPassword

$ADobj



Get-ADobject : One or more properties are invalid.
Parameter name: ms-FVE-RecoveryPassword
At line:5 char:10
+ $ADobj = Get-ADobject -Filter {objectclass -eq "ms-FVE-RecoveryInform ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: ) [Get-ADObject], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADObject

 

[Garth]

$DN = Get-ADComputer $Computer -server $servidorName | Select-Object -ExpandProperty DistinguishedName

$ADobj = Get-ADobject -Filter {objectclass -eq ‘ms-FVE-RecoveryInformation’} -SearchBase $DN -Properties ‘ms-FVE-RecoveryPassword’ | Select-Object Name, msFVE-RecoveryPassword

$ADobj



Get-ADobject : One or more properties are invalid.
Parameter name: ms-FVE-RecoveryPassword
At line:5 char:10
+ $ADobj = Get-ADobject -Filter {objectclass -eq "ms-FVE-RecoveryInform ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: ) [Get-ADObject], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADObject

To be clear you have extend AD to store the Bitlocker PW? e.g. the attributes exist in AD?

 

[juannabis]

I have the solution ...

I need to execute the script in a machine with the same domain that computers.

Thank you.