June 19, 2017 at 3:38 pm #73201
I am having some issues trying to retrieve bitlocker information from the DC.
$computer = get-adcomputer computername
Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties "msFVE-RecoveryPassword" | select msFVE-RecoveryPassword
I have used this code twice to successfully retrieve the bitlocker key, the result of the bitlocker keys will be ordered in descending order.
However recently on the same DC I am unable to retrieve the information. I am able to see the bitlocker information when I am opening up the AD to manually look up the information but running the code recently doesn't return any results whereas it did before. No errors come up instead it just returns back to the prompt. I have located other code for retrieving bitlocker key but this too does not return any information to me, again it just takes me back to the prompt without any errors.
I am running this query on a Server 2008 R2 Standard which is hosted on a VM.
Greatly appreciate if anyone can help
June 20, 2017 at 1:17 pm #73283
I'd have to look at the specific permissions on that attribute. It's possible some patch changed them so they can't be queried in the same way.
June 26, 2017 at 9:16 am #73639
Thanks for the tip Don, I looked at a number of patches that had taken place last month on the server. A number of security patches that are for .net framework 3.5.1 but I was not able to find the relevant information on the MS site to provide me more detailed information. I am going to ask the MS community to see what help they can provide.
August 8, 2017 at 9:16 am #76894
Ok i had another further look into this. For some reason the code is working on 1 of the DC but not for the other. Though both DCs are Windows Server 2008 R2 Standard. Both I can see the bitlocker key in the AD GUI but not sure why the powershell code works on one DC but not the other. With no errors on the 2nd DC as mentioned earlier.
I think this thread can be closed. Thanks for replying Don.:)
August 9, 2017 at 11:59 am #77010
Is there any chance you're running PowerShell as "Admin" on one DC but not the other? In 2008 and above a lot of attributes are hidden unless you run your queries as Admin.
What happens when you target the bad DC from the good DC? Try this (where BADDC is the name of your failing server):
Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -SearchBase $Computer.DistinguishedName -Properties "msFVE-RecoveryPassword" -Server BADDC | select msFVE-RecoveryPassword
Do you get the expected results? How about when you do the opposite and query the good DC from the bad one?
You must be logged in to reply to this topic.