cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bitlocker keys

informatica1
Engaged Sweeper
Hello,

I'm using lansweeper to report bitlocker keys in ad, however it only works if the user have domain admin rights something that i don't pretend!

I follow the guide to give lanswepper user local admin on machines and domain user in ad, but with that bitlocker report is empty...
1 ACCEPTED SOLUTION

Apologies I was mixing up LAPS attribute and BitLocker recovery information, the attribute was msFVE-REcoveryInformation, see the following for details on setting up access, https://kb.wisc.edu/iam/page.php?id=72670

View solution in original post

5 REPLIES 5

informatica1
Engaged Sweeper
Is possible to create an account able to retrive the keys but don't have domain admin rights?

It doesn't require Domain Admin rights, just needs permissions to manage computer objects. For example all of our helpdesk staff have access to objects, i.e. so they can move them between OUs, delete or add computers, but they're not members of the Domain Admin group.

SWResearch wrote:
It doesn't require Domain Admin rights, just needs permissions to manage computer objects. For example all of our helpdesk staff have access to objects, i.e. so they can move them between OUs, delete or add computers, but they're not members of the Domain Admin group.



So should i create a group with that permissions or windows already have an pre created group with that settings?

Thanks

Apologies I was mixing up LAPS attribute and BitLocker recovery information, the attribute was msFVE-REcoveryInformation, see the following for details on setting up access, https://kb.wisc.edu/iam/page.php?id=72670

SWResearch
Engaged Sweeper II
ccm wrote:
Hello,

I'm using lansweeper to report bitlocker keys in ad, however it only works if the user have domain admin rights something that i don't pretend!

I follow the guide to give lanswepper user local admin on machines and domain user in ad, but with that bitlocker report is empty...


Account requires access to computer objects in AD, to access ms-Mcs-AdmPwd attribute on the computer object.