Bitlocker recovery key delegation via Powershell

nekku6
Hello admins!

In the A better way to delegate control for Bitlocker recovery keys post by @DerWoWusste we've been introduced by the approach that allows to avoid delegating full control to IT Techs who are supposed to be able to find bitocker recovery keys.

I have a question regarding implementation of the same thing but in Powershell.
I work in the education organization that supports 140 schools. One of the MSPs that we're working with services 83 of them.
I need to delegate their (MSP) IT Tech AD group a bitlocker keys read permissions in their corresponding OUs (domain/Resources/<SchoolCode>/Windows Computers)
The closest I found was in TechNet's post that the OP was complaining about as not working.


I have some PS experience in ExchangeOnline (link leads to SpiceWorks O365 related question of mine that I answer myself), but I'm not sure what to start with in this case.
Please nudge me in the right direction.

Content-Key: 1638502270

Url: https://administrator.pro/contentid/1638502270

Printed on: January 21, 2022 at 00:01 o'clock

Mitglied: DerWoWusste
DerWoWusste Dec 20, 2021 at 08:42:25 (UTC)
Goto Top
Hi.

The confidentiality bit is set using the control access parameter CA.
DSACLS "OU=Test,OU=computers,DC=dom,DC=local" /I:S /G "mydom\helpdesk:CA"
However, testing that, I did not succeed to limit this control access to certain attributes only.
Mitglied: colinardo
Solution colinardo Dec 20, 2021 updated at 15:18:34 (UTC)
Goto Top
Hi @nekku6, welcome to administrator.pro!

If you want create the delegation with pure powershell you can do it like this. This will grant read access, sets the confidentially bit on subordinate msFVE-RecoveryInformation objects for a defined OU and user/group.


As @DerWoWusste already mentioned, restricting the extended right for only the attribute msFVE-RecoveryPassword is not possible, it must be delegated to the whole msFVE-RecoveryInformation object .

Regards @colinardo
Mitglied: DerWoWusste
DerWoWusste Dec 20, 2021 at 13:42:41 (UTC)
Goto Top
Great.
I could confirm this to be working!
Mitglied: nekku6
nekku6 Dec 21, 2021 updated at 02:13:27 (UTC)
Goto Top
Hi @colinardo,
Thank you, that worked for me! It gives all sorts of those additional reading rights, but it should be fine.
Although, I still have a quick question for you on how did you find the IDs used in the rule creation. I assume there should be something describing that on docs.ms like they have for exchange cmdlets' switches, but I'm not sure what to ask for to look it up.

And thank you @DerWoWusste for inspiring me to keep investigating and introducing to this site!

BTW, it took less than 2 seconds compared to what I'd imagine be a tedious whole day clicking :) face-smile
Just in case anyone who's new to PS reads the article and maybe finds this useful, here's my foreach modification for this script.
Mitglied: colinardo
colinardo Dec 21, 2021 updated at 06:44:56 (UTC)
Goto Top
You can find the GUIDs easly in your AD Schema, for example, for the attributes
Or via GUI by opening adsiedit.msc, and connecting to your schema context.