Today I was aksed to help write a script to get a list of all the computers in our domain and show which ones had their bitlocker keys backed up to AD.
I googled around to find where in AD the information was stored, and proceeded to write this beauty of a script. Feel free to modify as you see fit and let me know if you found it useful.
# Load AD tools
import-module ActiveDirectory
## Initialize Variables
$searchBase = "ou=Workstations,dc=mycompany,dc=com"
$RecoveryInfoPresent = 0
$MyCount = 0
$MaxCount = 5000
##Inform the user what is about to take place
Write-Host "Searching " $searchBase " for computer accounts with bitlocker keys.........."
Write-Host ""
##Create Table - ResultsTable
$ResultsTable = New-Object system.Data.DataTable "ResultsTable"
$col1 = New-Object system.Data.DataColumn ("HostName", [string])
$col2 = New-Object system.Data.DataColumn ("CanonicalName", [string])
$col3 = New-Object system.Data.DataColumn ("RecoveryPassword", [string])
$ResultsTable.columns.add($col1)
$ResultsTable.columns.add($col2)
$ResultsTable.columns.add($col3)
$computers = Get-ADComputer -Searchbase $searchBase -filter *
foreach ($computer in $computers)
{
$RecoveryInformation = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties canonicalname,msfve-recoverypassword
##Loop through as their may be multiple saved
foreach ($RecoveryInfo in $RecoveryInformation)
{
$output = $ResultsTable.Rows.Add($computer.name, $RecoveryInfo.canonicalname, $RecoveryInfo."msfve-recoverypassword")
$RecoveryInfoPresent = 1
}
if($RecoveryInfoPresent -eq 0)
{
$output = $ResultsTable.Rows.Add($computer.name, "", "")
}
else
{
$RecoveryInfoPresent = 0
}
#Loop protection
$MyCount = $MyCount + 1
if ($MyCount -ge $MaxCount)
{
break
}
}
##Write txt/csv file
#$ResultsTable | Out-File bitlockerinfo.txt
$ResultsTable | Export-Csv bitlockerinfo.csv -notype
##Inform the user that processing is complete
Write-Host "processing complete"
No comments:
Post a Comment