从Active Directory访问Bitlocker恢复信息 [英] Accessing Bitlocker Recovery information from Active Directory
本文介绍了从Active Directory访问Bitlocker恢复信息的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
因此,我尝试使用C#从AD访问位锁恢复信息。我已经检查了以下链接:
并且它们都(最终)建议这样的实现:
public字符串GetBitlockerKey(string compName)
{
string bitlockerPassword = string.Empty;
DirectoryEntry deEntry =新的DirectoryEntry(_path);
DirectorySearcher searcher =新的DirectorySearcher(_path);
searcher.SearchScope = SearchScope.Subtree;
searcher.ReferralChasing = ReferralChasingOption.All;
试试
{
searcher.Filter = String.Format((&(objectCategory = Computer)(cn = {0})),compName);
SearchResult结果= searcher.FindOne();
对象recoveryInformation = result.GetDirectoryEntry()。Properties [ msFVE-RecoveryInformation]。Value;
if(recoveryInformation!= null)
{
//用恢复信息填充...
}
else
{
bitlockerPassword =无法找到计算机对象。;
}
}
catch(Exception e)
{
//处理执行
return e.Message;
}
返回bitlockerPassword;
}
...但该属性不存在- msFVE-RecoveryInformation 属性。我在考虑这个错误吗?我认为这不是权限问题,因为我可以通过AD访问Bitlocker密钥。知道我在做什么错吗?
解决方案
我刚刚完成了自己的C#脚本,以获取Bitlocker恢复ID和密钥。我想我看到了您所缺少的。
我的步骤:
1)连接并找到主机名在Active Directory中(以您的情况为compName)
2)获取FindOne()结果,并使用SearchRoot设置为result.path进行另一个Active Directory搜索。
var结果= directorySearcher.FindOne();
var Rpath = Result.Path;
var BTsearch = new DirectorySearcher(Rpath)
{
SearchRoot = Result.GetDirectoryEntry(),//如果没有这一行,我们将获得AD中的每个条目。
Filter =(&(objectClass = msFVE-RecoveryInformation))
};
3)在这里,您可以指定要查找的恢复信息并提取其他属性。 / p>
我的完整脚本供参考:
使用系统;
使用System.Collections.Generic;
使用System.Text;
使用System.DirectoryServices;
使用System.DirectoryServices.AccountManagement;
公共类AD
{
公共AD()
{
ActiveDirectory = new DirectoryEntry( LDAP:// +
环境.UserDomainName);
}
public DirectoryEntry ActiveDirectory {get;私人套装; }
public ADbitLock GetBitLocker(string hostname)
{
var output = new StringBuilder();
DirectorySearcher directorySearcher = new DirectorySearcher(ActiveDirectory);
directorySearcher.Filter =(&(ObjectCategory = computer)(cn = +主机名+));
var结果= directorySearcher.FindOne();
var Rpath = Result.Path;
var BTsearch = new DirectorySearcher(Rpath)
{
SearchRoot = Result.GetDirectoryEntry(),//如果没有这一行,我们将获得AD中的每个条目。
Filter =(&(objectClass = msFVE-RecoveryInformation))
};
BTsearch.PropertiesToLoad.Add( msfve-recoveryguid);
BTsearch.PropertiesToLoad.Add( msfve-recoverypassword);
var GetAll = BTsearch.FindAll();
var BT = new ADbitLock(hostname);
foreach(GetAll中的SearchResult项目)
{
if(item.Properties.Contains( msfve-recoveryguid)&& item.Properties.Contains( msfve -recoverypassword))
{
var pid =(byte [])item.Properties [ msfve-recoveryguid] [0];
var rky = item.Properties [ msfve-recoverypassword] [0] .ToString();
BT.AddKey(pid,rky);
var lnth = BT.RecoveryKey.Count-1;
System.Diagnostics.Debug.WriteLine( Added ... + BT.PasswordID [lnth] + for: + BT.RecoveryKey [lnth]);
}
}
返回BT;
}
}
公共类ADbitLock
{
public ADbitLock(string HostName)
{
SystemName =主机名;
PasswordID = new List< string>();
RecoveryKey = new List< string>();
}
public void AddKey(byte [] ID,string Key)
{
PasswordID.Add(ConvertID(ID));
RecoveryKey.Add(Key);
}
私有字符串ConvertID(byte [] id)
{
return
id [3] .ToString( X02)+ id [ 2] .ToString( X02)
+ id [1] .ToString( X02)+ id [0] .ToString( X02)+-
+ id [5] .ToString( X02)+ id [4] .ToString( X02)+-
+ id [7] .ToString( X02)+ id [6] .ToString( X02 )+-
+ id [8] .ToString( X02)+ id [9] .ToString( X02)+-
+ id [10] .ToString( X02)+ id [11] .ToString( X02)
+ id [12] .ToString( X02)+ id [13] .ToString( X02)
+ id [ 14] .ToString( X02)+ id [15] .ToString( X02)
;
}
公用字符串SystemName {get;私人套装; }
公共列表< string>密码ID {get;私人套装; }
公共列表< string> RecoveryKey {获取;私人套装; }
}
编辑:如Barry下文所述,如果您没有权限访问位锁恢复密钥,然后findAll搜索返回0计数。
So I am trying to access bitlocker recovery information from AD using C#. I've checked out these links:
And they both suggest (ultimately) an implementationlike this:
public String GetBitlockerKey(string compName)
{
string bitlockerPassword = string.Empty;
DirectoryEntry deEntry = new DirectoryEntry(_path);
DirectorySearcher searcher = new DirectorySearcher(_path);
searcher.SearchScope = SearchScope.Subtree;
searcher.ReferralChasing = ReferralChasingOption.All;
try
{
searcher.Filter = String.Format("(&(objectCategory=Computer)(cn={0}))", compName);
SearchResult result = searcher.FindOne();
object recoveryInformation = result.GetDirectoryEntry().Properties["msFVE-RecoveryInformation"].Value;
if (recoveryInformation != null)
{
// Do stuff with recovery information...
}
else
{
bitlockerPassword = "Failed to find the computer object.";
}
}
catch (Exception e)
{
// handle execptions
return e.Message;
}
return bitlockerPassword;
}
...but that property doesn't exist- the "msFVE-RecoveryInformation" property. Am I thinking about this wrong? I don't think it's a permissions issue, because I can access the bitlocker keys through AD. Any idea what I'm doing wrong?
解决方案
I just completed my own C# script for the purpose of retrieving Bitlocker recovery ID and Keys. I think I see what you're missing.
My steps:
1) Connect and find the Hostname in Active Directory (in your case compName)
2) Take the FindOne() result and do another Active Directory search with the SearchRoot set as the result.path.
var Result = directorySearcher.FindOne();
var Rpath = Result.Path;
var BTsearch = new DirectorySearcher(Rpath)
{
SearchRoot = Result.GetDirectoryEntry(), //without this line we get every entry in AD.
Filter = "(&(objectClass=msFVE-RecoveryInformation))"
};
3) From there you can specify the recovery information you are looking for and pull up other properties.
My full script for reference:
using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
public class AD
{
public AD()
{
ActiveDirectory = new DirectoryEntry("LDAP://" +
Environment.UserDomainName);
}
public DirectoryEntry ActiveDirectory { get; private set; }
public ADbitLock GetBitLocker(string hostname)
{
var output = new StringBuilder();
DirectorySearcher directorySearcher = new DirectorySearcher(ActiveDirectory);
directorySearcher.Filter = "(&(ObjectCategory=computer)(cn=" + hostname + "))";
var Result = directorySearcher.FindOne();
var Rpath = Result.Path;
var BTsearch = new DirectorySearcher(Rpath)
{
SearchRoot = Result.GetDirectoryEntry(), //without this line we get every entry in AD.
Filter = "(&(objectClass=msFVE-RecoveryInformation))"
};
BTsearch.PropertiesToLoad.Add("msfve-recoveryguid");
BTsearch.PropertiesToLoad.Add("msfve-recoverypassword");
var GetAll = BTsearch.FindAll();
var BT = new ADbitLock(hostname);
foreach (SearchResult item in GetAll)
{
if (item.Properties.Contains("msfve-recoveryguid") && item.Properties.Contains("msfve-recoverypassword"))
{
var pid = (byte[])item.Properties["msfve-recoveryguid"][0];
var rky = item.Properties["msfve-recoverypassword"][0].ToString();
BT.AddKey(pid, rky);
var lnth = BT.RecoveryKey.Count - 1;
System.Diagnostics.Debug.WriteLine("Added... " + BT.PasswordID[lnth] + " for: " + BT.RecoveryKey[lnth]);
}
}
return BT;
}
}
public class ADbitLock
{
public ADbitLock(string HostName)
{
SystemName = HostName;
PasswordID = new List<string>();
RecoveryKey = new List<string>();
}
public void AddKey(byte[] ID, string Key)
{
PasswordID.Add(ConvertID(ID));
RecoveryKey.Add(Key);
}
private string ConvertID(byte[] id)
{
return
id[3].ToString("X02") + id[2].ToString("X02")
+ id[1].ToString("X02") + id[0].ToString("X02") + "-"
+ id[5].ToString("X02") + id[4].ToString("X02") + "-"
+ id[7].ToString("X02") + id[6].ToString("X02") + "-"
+ id[8].ToString("X02") + id[9].ToString("X02") + "-"
+ id[10].ToString("X02") + id[11].ToString("X02")
+ id[12].ToString("X02") + id[13].ToString("X02")
+ id[14].ToString("X02") + id[15].ToString("X02")
;
}
public string SystemName { get; private set; }
public List<string> PasswordID { get; private set; }
public List<string> RecoveryKey { get; private set; }
}
Edit: As commented below by Barry, If you don't have permissions to access bit-locker recovery keys then the findAll search returns a 0 count.
这篇关于从Active Directory访问Bitlocker恢复信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
