bitlocker get blank keys

Tagged: 

This topic contains 15 replies, has 2 voices, and was last updated by Profile photo of matthew moore matthew moore 3 months, 3 weeks ago.

  • Author
    Posts
  • #49318
    Profile photo of matthew moore
    matthew moore
    Participant

    I am not sure how to get this worked out. I have a powershell script that gets all computers in OU that have a bitlocker key. I am trying to get all keys if they have one or not . I can not find on what to adjust . I have tried if statements and everything.

    So if the computer has a key I want the computer name and key. Then i want computer and show blank space or no key if there is no bitlocker key .

    Add-PSSnapin Quest.ActiveRoles.ADManagement
    
    
    $MyDomain='domain'
    $MyClearTextUsername='user'
    $MyClearTextPassword='password'
    
    $MyUsernameDomain=$MyDomain+'\'+$MyClearTextUsername
    
    $SecurePassword=Convertto-SecureString –String $MyClearTextPassword –AsPlainText –force
    
    $Creds=New-object System.Management.Automation.PSCredential $MyUsernameDomain,$SecurePassword
    
    
    #Prompt for AD user to use
    #$Creds=Get-Credential
     
    #Connect to DC
    Connect-QADService -service "domain.org:389"  -credential $Creds
     
    #Custom variables
    $CsvFilePath = "C:\BitLockerComputerReport2.csv"
     
    #Create array 
    $export = @()
     
    #Export computers not Bitlocker-enabled to a CSV-file
    $BitLockerEnabled = Get-QADObject -SizeLimit 0 -IncludedProperties Name,DN,ParentContainer,msFVE-RecoveryPassword | Where-Object {$_.type -eq "msFVE-RecoveryInformation"} | Foreach-Object {
     
    #Create custom object
    $computerobj = New-Object -TypeName psobject
     
    #Add name
    $computerobj | Add-Member -MemberType NoteProperty -Name Name -Value (Split-Path -Path $_.ParentContainer -Leaf)
    #$computerobj | Add-Member -MemberType NoteProperty -Name "msFVE-RecoveryPassword" -Value $_."msFVE-RecoveryPassword"
    $computerobj | Add-Member -MemberType NoteProperty -Name DN -Value $_."DN" 
    
     
    $export += $computerobj
    }
     
    #Export the array with computerinformation to the user-specified path
    $export  |select -Unique Name , @{N="OU";E={$_.DN.Split(',')[2,3]}}  | sort Name| Export-Csv -Path $CsvFilePath -NoTypeInformation
    
    
    
    • This topic was modified 4 months ago by Profile photo of matthew moore matthew moore.
    • This topic was modified 4 months ago by Profile photo of matthew moore matthew moore. Reason: take out user info
    • This topic was modified 4 months ago by Profile photo of matthew moore matthew moore.
  • #49358
    Profile photo of Dan Potter
    Dan Potter
    Participant

    I dislike empty arrays and adding to them, almost never necessary. I also detest quest. Is this an old script you had laying around?

    you might include a searchbase for your computers ou's

    
    $bitlockerinfo = get-adcomputer -filter * |% {
    
    $blinfo = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $_.distinguishedname -properties msfve-recoverypassword
    
    
    [pscustomobject]@{
    
    computer = $_.name
    key = $blinfo.msfve-recoverypassword
    
    
    }
    
    }
    
    
    $bitlockerinfo
    
    
  • #49360
    Profile photo of matthew moore
    matthew moore
    Participant

    Actually it is an old script i used at another company. I then just modify what i want. I will test your script and see what i get. i was wanting to pull OU info and OS system too. That is why i made it an empty so i could put what i wanted. But i am always willing to learn new ways to do things.

  • #49362
    Profile photo of matthew moore
    matthew moore
    Participant

    i got this error. I kind of see what you are doing . I will have to add the DN and other stuff I had collected in orignal script as i needed that.

    not sure where to go on error as i am a tad fuzzy on how you are pulling the bitlocker key

    At line:26 char:20
    + key = $blinfo.msfve-recoverypassword
    + ~~~~~~~~~~~~~~~~~
    Unexpected token '-recoverypassword' in expression or statement.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

  • #49364
    Profile photo of Dan Potter
    Dan Potter
    Participant

    oh I always forget the hyphen in the property name. Enclose it in single qoutes. $blinfo.'msfve-recoverypassword'

    The recovery info is an object under the computer that you can't see in ADUC so we use the distinguishedname of the computer as the searchbase.

  • #49366
    Profile photo of matthew moore
    matthew moore
    Participant

    man I must be off tonight. i still can not wrap my head around how you are getting some of the info. I guess I have been using quest too long. I am trying to grab the operatingsystem, and model but failing. My thinking is that bitlockerinfo has it all because of the filter * . Am i wrong ? I pasted the results as I find it funny it is only giving me DN only when it has a key ...

    I am sorry for newbie questions but lost on how this is working.

    
    Import-Module ActiveDirectory
    
    
    $MyDomain='xxx'
    $MyClearTextUsername='xxx'
    $MyClearTextPassword='xxx#'
    
    $MyUsernameDomain=$MyDomain+'\'+$MyClearTextUsername
    
    $SecurePassword=Convertto-SecureString –String $MyClearTextPassword –AsPlainText –force
    
    $Creds=New-object System.Management.Automation.PSCredential $MyUsernameDomain,$SecurePassword
    
    #Custom variables
    $CsvFilePath = "C:\BitLockerComputerReport2.csv"
    
    $bitlockerinfo = get-adcomputer -credential $Creds -filter * |% {
    
    $blinfo = get-ADObject -credential $Creds -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $_.distinguishedname -properties DistinguishedName,OperatingSystem,msfve-recoverypassword
    
    
    [pscustomobject]@{#
    
    computer = $_.name
    OU = $blinfo.'DistinguishedName'
    OS = $bitlockerinfo.'OperatingSystem'
    key = $blinfo.'msfve-recoverypassword'
    #model = $bitlockerinfo.''
    
    
    }
    
    }
    
    
    $bitlockerinfo |select -Unique Computer , @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation
    
    Computer               OU                   OS                        Key                                          Model
    
    550ACB-4441		                System.Object[]	
    550ACB-4442		                System.Object[]	
    550ACB-4443		                System.Object[]	
    550ACB-4551		                System.Object[]	
    550ACB-4904	OU=Computers OU=ACB	System.Object[]	175175-376640-309111-341847-554202-390599-106645-104137
    550ACB-4905	OU=Computers OU=ACB	System.Object[]	455048-446644-615450-521631-515713-002431-600864-128667
    550ACB-4906	OU=Computers OU=ACB	System.Object[]	181027-201608-168696-592878-665456-054516-361405-257114
    
    
    
    
    
    • This reply was modified 4 months ago by Profile photo of matthew moore matthew moore. Reason: remove domain info
  • #49369
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Hopefully this makes more sense.

    
    $computers = get-adcomputer -filter * -properties operatingsystem
    
    
    $bitlockerinfo = foreach($computer in $computers){
    
    $key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties msfve-recoverypassword
    
    
    [pscustomobject]@{
    
    computer = $computer.name
    os = $computer.operatingsystem
    key = $key.'msfve-recoverypassword'
    
    
    }
    
    }
    
    
    $bitlockerinfo
    
    
    • This reply was modified 4 months ago by Profile photo of Dan Potter Dan Potter.
    • This reply was modified 4 months ago by Profile photo of Dan Potter Dan Potter.
    • This reply was modified 4 months ago by Profile photo of Dan Potter Dan Potter.
  • #49374
    Profile photo of matthew moore
    matthew moore
    Participant

    Thank you so much for your help. I am almost there. I still am trying to get the model number but the code written this way makes more sense. I did get an error though. I am just so close with your help. Thank you.

    Get-ADObject : Cannot validate argument on parameter 'SearchBase'. The argument is null. Provide a valid value for the argument, and then 
    try running the command again.
    At line:18 char:94
    + ... -Recoverypassword=*)" -Searchbase $computer.distinguishedname -proper ...
    
    
    

    I thought of adding searchbase as OU = Main but still errors. Well it does not error just hangs and does not look like it is doing anything. I think that is one good thing about quest tools. I could see the progress bar LOL

    Here is code . I tried grabbing description too.

    
    get-adcomputer -filter * -properties operatingsystem
    
    #Custom variables
    $CsvFilePath = "C:\BitLockerComputerReport2.csv"
    
    $bitlockerinfo = foreach($computer in $computers){
    
    $key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase "OU=xxx,dc=xxx,dc=xxx,dc=xxx" -properties canonicalname,description,msfve-recoverypassword
    
    
    [pscustomobject]@{
    
    computer = $_.name
    os = $computer.operatingsystem
    key = $key
    
    
    }
    
    }
    
    
    $bitlockerinfo |select -Unique Computer , @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,description,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation
    
  • #49398
    Profile photo of Dan Potter
    Dan Potter
    Participant

    The searchbase for your computers is the top line.

    The searchbase for the bitlockerkey is the dn of the computer.

  • #49483
    Profile photo of matthew moore
    matthew moore
    Participant

    i am still having some issues if someone would like to help. I get no results at all.

    
    
    
    get-adcomputer -SearchBase "ou=xx,dc=xx,dc=xx,dc=org"  -filter * -properties operatingsystem
    
    #Custom variables
    $CsvFilePath = "C:\BitLockerComputerReporttest.csv"
    
    $bitlockerinfo = foreach($computer in $computers){
    
    $key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase "ou=xx,dc=xx,dc=xx,dc=org" -properties canonicalname,description,msfve-recoverypassword
    
    
    [pscustomobject]@{
    
    computer = $_.name
    os = $computer.operatingsystem
    key = $key
    ou= $bitlockerinfo.distiguishedname
    description=$key.description
    
    
    }
    
    }
    
    
    $bitlockerinfo |select -Unique Computer, @{N="OU";E={$_.OU.Split(',')[2,3]}},OS,description,key  | sort Computer| Export-Csv -Path $CsvFilePath -NoTypeInformation
    
    
    
  • #49563
    Profile photo of Dan Potter
    Dan Potter
    Participant

    again, the searchbase for the recovery info object is $computer.distinguishedname.

    get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname

    Don't modify the script I gave you until you understand what's going on, you can't just substitute variables and expect them to work. ou= $bitlockerinfo.distiguishedname is not going to give you anything.

    #enter one computername with known recovery info.
    
    $computer = 'mypc01'
    
    $i = get-adcomputer $computer -properties operatingsystem
    
    $key = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $i.distinguishedname -properties canonicalname,description,msfve-recoverypassword
    
    
    $i.name
    $i.operatingsystem
    $key
    $key.'msFVE-Recoverypassword'
    
    
    
  • #49565
    Profile photo of matthew moore
    matthew moore
    Participant

    The code above works when they have a key. It errors out with a computer no key. I am sorry about getting confused. It did not pull description at all. I know in AD it has it as description. I really am not this stumped as i have two scripts working now but using excel to match the info up. Is there a way to paypal you something for your troubles.

    i am not seeing how to attach pics. Here is what it says

    6/6/2016 – cv27560 – Satellite C55-A

  • #49569
    Profile photo of Dan Potter
    Dan Potter
    Participant

    The last was an example of how we return objects and their properties. Now, when a property doesn't have a value and we use the pscustomobject the value will be blank.

    #object
    $computer = get-adcomputer mypc -properties operatingsystem,description
    $computer

    #properties of object
    $computer.operatingsystem
    $computer.description

    #table
    [pscustomobject]@{desc=$computer.description;name = $computer.name;os=$computer.operatingsystem}

  • #49749
    Profile photo of matthew moore
    matthew moore
    Participant

    Oh i understand now Dan . Thank you so much. Now I understand more on how to do it. I will go ahead and try to finish writing it to get all computers in certain OU.

  • #49776
    Profile photo of Dan Potter
    Dan Potter
    Participant
  • #49782
    Profile photo of matthew moore
    matthew moore
    Participant

    Ha i wish i had sheer boredom and could write something like that. i think i understand everything now. I will put together bitlocker info and computer info in one script now. Thank you. I wish i could be as good as you one day.

You must be logged in to reply to this topic.