Today I had a request from a first-level-admin which need the Bitlocker Recovery Password for a already deleted computer object. Here is what I came up with:
|
1 2 3 4 5 6 |
$compname = "ComputerName" $SearchRoot = "CN=Deleted Objects,DC=domain,DC=local" $recoverykeys = Get-QADObject -Tombstone -Recycled -Type "msFVE-RecoveryInformation" -SizeLimit 0 -Includedproperties msFVE-RecoveryPassword -SearchRoot $SearchRoot | ? {$_.lastknownparent -like "*$compname*"} | select msFVE-RecoveryPassword $recoverykeys |
Please note that you need to be a Domain Admin (or equivalent) to be able to read the Deleted Objects Container. The tombstones will have a lifetime, after their expiration, you can’t access anymore to the recovery passwords.