I am using the Quest AD Cmdlets to pull information about computer accounts and bitlocker recovery information. I am currently using Get-QadComputer to pull the DN and then I am using Get-QADobject with the -searchRoot parameter to find all the child objects of that computer, which will give me the msFVE-RecoveryInformation child objects. What I am wondering is if I can use Get-QadComputer to do the entire query for me in one shot.
How can I use Get-QadComputer to return only computer objects that have msFVE-RecoveryInformation child objects? I was thinking of an LDAP filter, but I'm not sure how that would work for a child object.
Best Answer
I don't believe that this is possible with only one LDAP search, regardless of what type of child object you are looking for. In cases like this I usually try to find if there is an attribute in either the parent or the child that references the other so that I can use that to retrieve the data I want, but in this case there doesn't seem to be.
What might be a better approach than invoking an LDAP search for each computer is this: 1. Use Get-QADObject to enumerate the msFVE-RecoveryInformation objects in your environment, starting from as low of a search root as possible. 2. Build a list of DNs for the parent computer objects using the data retrieved from those objects and store those DNs in an array. 3. Either call Get-QADComputer and use Where-Object to filter out the computers without a DN matching those stored in your array or if there are not many computers that are bitlocker enabled, call Get-QADComputer for each DN in your array to get the computer objects.
FYI, I did a quick Google search for "BitLocker cmdlets" to see if there was an easier way and it returned a go.microsoft.com link to a "Future Resource" document for Windows Server 2008 R2, so maybe these are coming at some point. All that document says for now though is "The document you are attempting to access is not yet available."