I have query in Active Directory which should return all computers with bitlocker not active based on this script:
https://community.spiceworks.com/topic/1083065-bitlocker-status-on-all-computers
Script works fine so the values are there.
But my query is not returning anything.
It looks like this:
(&(&(objectCategory=computer)(objectClass=msFVE-RecoveryInformation)(!(msFVE-RecoveryPassword=*))))
I want to return computers which dont have active bitlocker.
Can someone point me to right direction where could be mistake, still learning with ldap queries.
//EDIT
So i found out msFVE-RecoveryInformation is object by it self, when i do:
(&(&(objectClass=msFVE-RecoveryInformation)(msFVE-RecoveryPassword=*)))
It filters objects with recovery keys but name of computers is coded in atribute "distinguishedName like this:
CN=2020-02-10T16:32:51\+01:00{4C74584A-BF6C-4AFA-9E46-582DDFC207A6},CN=NAMEOFNTB,OU=computers,OU=blabla,DC=test,DC=local
Somehow i can filter only computers with this attribute?
Best Answer
You need to read the msDS-ParentDistName attribute in each msFVE-RecoveryInformation object, and then query for those distinguished names to get the computer objects.
Also, this is not a good way to measure this due to: