所以我试图使用C#从AD访问bitlocker恢复信息。我查看了这些链接:
他们都建议(最终)这样的实现:
public String GetBitlockerKey(string compName)
{
string bitlockerPassword = string.Empty;
DirectoryEntry deEntry = new DirectoryEntry(_path);
DirectorySearcher searcher = new DirectorySearcher(_path);
searcher.SearchScope = SearchScope.Subtree;
searcher.ReferralChasing = ReferralChasingOption.All;
try
{
searcher.Filter = String.Format("(&(objectCategory=Computer)(cn={0}))", compName);
SearchResult result = searcher.FindOne();
object recoveryInformation = result.GetDirectoryEntry().Properties["msFVE-RecoveryInformation"].Value;
if (recoveryInformation != null)
{
// Do stuff with recovery information...
}
else
{
bitlockerPassword = "Failed to find the computer object.";
}
}
catch (Exception e)
{
// handle execptions
return e.Message;
}
return bitlockerPassword;
}
...但该属性不存在 - “msFVE-RecoveryInformation”属性。我在想这个错吗?我认为这不是权限问题,因为我可以通过AD访问bitlocker密钥。知道我做错了什么吗?
答案 0 :(得分:2)
我刚刚完成了自己的C#脚本,目的是检索Bitlocker恢复ID和密钥。我想我明白你错过了什么。
我的步骤:
1)在Active Directory中连接并找到主机名(在您的情况下为compName)
2)获取FindOne()结果并执行另一个Active Directory搜索,并将SearchRoot设置为result.path。
var Result = directorySearcher.FindOne();
var Rpath = Result.Path;
var BTsearch = new DirectorySearcher(Rpath)
{
SearchRoot = Result.GetDirectoryEntry(), //without this line we get every entry in AD.
Filter = "(&(objectClass=msFVE-RecoveryInformation))"
};
3)从那里,您可以指定要查找的恢复信息,并提取其他属性。
我的完整脚本供参考:
using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
public class AD
{
public AD()
{
ActiveDirectory = new DirectoryEntry("LDAP://" +
Environment.UserDomainName);
}
public DirectoryEntry ActiveDirectory { get; private set; }
public ADbitLock GetBitLocker(string hostname)
{
var output = new StringBuilder();
DirectorySearcher directorySearcher = new DirectorySearcher(ActiveDirectory);
directorySearcher.Filter = "(&(ObjectCategory=computer)(cn=" + hostname + "))";
var Result = directorySearcher.FindOne();
var Rpath = Result.Path;
var BTsearch = new DirectorySearcher(Rpath)
{
SearchRoot = Result.GetDirectoryEntry(), //without this line we get every entry in AD.
Filter = "(&(objectClass=msFVE-RecoveryInformation))"
};
BTsearch.PropertiesToLoad.Add("msfve-recoveryguid");
BTsearch.PropertiesToLoad.Add("msfve-recoverypassword");
var GetAll = BTsearch.FindAll();
var BT = new ADbitLock(hostname);
foreach (SearchResult item in GetAll)
{
if (item.Properties.Contains("msfve-recoveryguid") && item.Properties.Contains("msfve-recoverypassword"))
{
var pid = (byte[])item.Properties["msfve-recoveryguid"][0];
var rky = item.Properties["msfve-recoverypassword"][0].ToString();
BT.AddKey(pid, rky);
var lnth = BT.RecoveryKey.Count - 1;
System.Diagnostics.Debug.WriteLine("Added... " + BT.PasswordID[lnth] + " for: " + BT.RecoveryKey[lnth]);
}
}
return BT;
}
}
public class ADbitLock
{
public ADbitLock(string HostName)
{
SystemName = HostName;
PasswordID = new List<string>();
RecoveryKey = new List<string>();
}
public void AddKey(byte[] ID, string Key)
{
PasswordID.Add(ConvertID(ID));
RecoveryKey.Add(Key);
}
private string ConvertID(byte[] id)
{
return
id[3].ToString("X02") + id[2].ToString("X02")
+ id[1].ToString("X02") + id[0].ToString("X02") + "-"
+ id[5].ToString("X02") + id[4].ToString("X02") + "-"
+ id[7].ToString("X02") + id[6].ToString("X02") + "-"
+ id[8].ToString("X02") + id[9].ToString("X02") + "-"
+ id[10].ToString("X02") + id[11].ToString("X02")
+ id[12].ToString("X02") + id[13].ToString("X02")
+ id[14].ToString("X02") + id[15].ToString("X02")
;
}
public string SystemName { get; private set; }
public List<string> PasswordID { get; private set; }
public List<string> RecoveryKey { get; private set; }
}
编辑:由Barry在下面评论,如果您无权访问位锁定恢复密钥,则findAll搜索将返回0计数。