Author Posts

August 4, 2016 at 5:37 pm

I am not sure how to get this worked out. I have a powershell script that gets all computers in OU that have a bitlocker key. I am trying to get all keys if they have one or not . I can not find on what to adjust . I have tried if statements and everything.

So if the computer has a key I want the computer name and key. Then i want computer and show blank space or no key if there is no bitlocker key .

Add-PSSnapin Quest.ActiveRoles.ADManagement



$SecurePassword=Convertto-SecureString –String $MyClearTextPassword –AsPlainText –force

$Creds=New-object System.Management.Automation.PSCredential $MyUsernameDomain,$SecurePassword

#Prompt for AD user to use
#Connect to DC
Connect-QADService -service ""  -credential $Creds
#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport2.csv"
#Create array 
$export = @()
#Export computers not Bitlocker-enabled to a CSV-file
$BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,DN,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {
#Create custom object
$computerobj = New-Object -TypeName psobject
#Add name
$computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
#$computerobj | Add-Member -MemberType NoteProperty -Name "msFVE-RecoveryPassword" -Value $_."msFVE-RecoveryPassword"
$computerobj | Add-Member -MemberType NoteProperty -Name DN -Value $_."DN" 

$export += $computerobj
#Export the array with computerinformation to the user-specified path
$export  |select -Unique Name , @{N="OU";E={$_.DN.Split(',')[2,3]}}  | sort Name| Export-Csv -Path $CsvFilePath -NoTypeInformation

  • This topic was modified 2 years ago by  matthew moore.
  • This topic was modified 2 years ago by  matthew moore. Reason: take out user info
  • This topic was modified 2 years ago by  matthew moore.

August 4, 2016 at 10:50 pm

I dislike empty arrays and adding to them, almost never necessary. I also detest quest. Is this an old script you had laying around?

you might include a searchbase for your computers ou's

$bitlockerinfo = get-adcomputer -filter * |% {

$blinfo = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $_.distinguishedname -properties msfve-recoverypassword


computer = $
key = $blinfo.msfve-recoverypassword




August 4, 2016 at 11:21 pm

Actually it is an old script i used at another company. I then just modify what i want. I will test your script and see what i get. i was wanting to pull OU info and OS system too. That is why i made it an empty so i could put what i wanted. But i am always willing to learn new ways to do things.

August 4, 2016 at 11:30 pm

i got this error. I kind of see what you are doing . I will have to add the DN and other stuff I had collected in orignal script as i needed that.

not sure where to go on error as i am a tad fuzzy on how you are pulling the bitlocker key

At line:26 char:20
+ key = $blinfo.msfve-recoverypassword
+ ~~~~~~~~~~~~~~~~~
Unexpected token '-recoverypassword' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

August 4, 2016 at 11:35 pm

oh I always forget the hyphen in the property name. Enclose it in single qoutes. $blinfo.'msfve-recoverypassword'

The recovery info is an object under the computer that you can't see in ADUC so we use the distinguishedname of the computer as the searchbase.

August 5, 2016 at 12:09 am

man I must be off tonight. i still can not wrap my head around how you are getting some of the info. I guess I have been using quest too long. I am trying to grab the operatingsystem, and model but failing. My thinking is that bitlockerinfo has it all because of the filter * . Am i wrong ? I pasted the results as I find it funny it is only giving me DN only when it has a key ...

I am sorry for newbie questions but lost on how this is working.

Import-Module ActiveDirectory



$SecurePassword=Convertto-SecureString –String $MyClearTextPassword –AsPlainText –force

$Creds=New-object System.Management.Automation.PSCredential $MyUsernameDomain,$SecurePassword

#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport2.csv"

$bitlockerinfo = get-adcomputer -credential $Creds -filter * |% {

$blinfo = get-ADObject -credential $Creds -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $_.distinguishedname -properties DistinguishedName,OperatingSystem,msfve-recoverypassword


computer = $
OU = $blinfo.'DistinguishedName'
OS = $bitlockerinfo.'OperatingSystem'
key = $blinfo.'msfve-recoverypassword'
#model = $bitlockerinfo.''



$bitlockerinfo |select -Unique Computer , @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation
Computer               OU                   OS                        Key                                          Model

550ACB-4441		                System.Object[]	
550ACB-4442		                System.Object[]	
550ACB-4443		                System.Object[]	
550ACB-4551		                System.Object[]	
550ACB-4904	OU=Computers OU=ACB	System.Object[]	175175-376640-309111-341847-554202-390599-106645-104137
550ACB-4905	OU=Computers OU=ACB	System.Object[]	455048-446644-615450-521631-515713-002431-600864-128667
550ACB-4906	OU=Computers OU=ACB	System.Object[]	181027-201608-168696-592878-665456-054516-361405-257114

  • This reply was modified 2 years ago by  matthew moore. Reason: remove domain info

August 5, 2016 at 12:34 am

Hopefully this makes more sense.

$computers = get-adcomputer -filter * -properties operatingsystem

$bitlockerinfo = foreach($computer in $computers){

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties msfve-recoverypassword


computer = $
os = $computer.operatingsystem
key = $key.'msfve-recoverypassword'




  • This reply was modified 2 years ago by  Dan Potter.
  • This reply was modified 2 years ago by  Dan Potter.
  • This reply was modified 2 years ago by  Dan Potter.

August 5, 2016 at 1:11 am

Thank you so much for your help. I am almost there. I still am trying to get the model number but the code written this way makes more sense. I did get an error though. I am just so close with your help. Thank you.

Get-ADObject : Cannot validate argument on parameter 'SearchBase'. The argument is null. Provide a valid value for the argument, and then 
try running the command again.
At line:18 char:94
+ ... -Recoverypassword=*)" -Searchbase $computer.distinguishedname -proper ...

I thought of adding searchbase as OU = Main but still errors. Well it does not error just hangs and does not look like it is doing anything. I think that is one good thing about quest tools. I could see the progress bar LOL

Here is code . I tried grabbing description too.

get-adcomputer -filter * -properties operatingsystem

#Custom variables
$CsvFilePath = "C:\BitLockerComputerReport2.csv"

$bitlockerinfo = foreach($computer in $computers){

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase "OU=xxx,dc=xxx,dc=xxx,dc=xxx" -properties canonicalname,description,msfve-recoverypassword


computer = $
os = $computer.operatingsystem
key = $key



$bitlockerinfo |select -Unique Computer , @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,description,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation

August 5, 2016 at 10:35 am

The searchbase for your computers is the top line.

The searchbase for the bitlockerkey is the dn of the computer.

August 6, 2016 at 7:11 pm

i am still having some issues if someone would like to help. I get no results at all.

get-adcomputer -SearchBase "ou=xx,dc=xx,dc=xx,dc=org"  -filter * -properties operatingsystem

#Custom variables
$CsvFilePath = "C:\BitLockerComputerReporttest.csv"

$bitlockerinfo = foreach($computer in $computers){

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase "ou=xx,dc=xx,dc=xx,dc=org" -properties canonicalname,description,msfve-recoverypassword


computer = $
os = $computer.operatingsystem
key = $key
ou= $bitlockerinfo.distiguishedname



$bitlockerinfo |select -Unique Computer, @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,description,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation

August 8, 2016 at 1:53 pm

again, the searchbase for the recovery info object is $computer.distinguishedname.

get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname

Don't modify the script I gave you until you understand what's going on, you can't just substitute variables and expect them to work. ou= $bitlockerinfo.distiguishedname is not going to give you anything.

#enter one computername with known recovery info.

$computer = 'mypc01'

$i = get-adcomputer $computer -properties operatingsystem

$key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $i.distinguishedname -properties canonicalname,description,msfve-recoverypassword


August 8, 2016 at 2:13 pm

The code above works when they have a key. It errors out with a computer no key. I am sorry about getting confused. It did not pull description at all. I know in AD it has it as description. I really am not this stumped as i have two scripts working now but using excel to match the info up. Is there a way to paypal you something for your troubles.

i am not seeing how to attach pics. Here is what it says

6/6/2016 – cv27560 – Satellite C55-A

August 8, 2016 at 3:00 pm

The last was an example of how we return objects and their properties. Now, when a property doesn't have a value and we use the pscustomobject the value will be blank.

$computer = get-adcomputer mypc -properties operatingsystem,description

#properties of object

[pscustomobject]@{desc=$computer.description;name = $;os=$computer.operatingsystem}

August 9, 2016 at 5:26 pm

Oh i understand now Dan . Thank you so much. Now I understand more on how to do it. I will go ahead and try to finish writing it to get all computers in certain OU.

August 10, 2016 at 3:12 am

Ha i wish i had sheer boredom and could write something like that. i think i understand everything now. I will put together bitlocker info and computer info in one script now. Thank you. I wish i could be as good as you one day.