c# - 从 Active Directory 访问 Bitlocker 恢复信息

Question

所以我正在尝试使用 C# 从 AD 访问 bitlocker 恢复信息。我检查了这些链接：

• 如何以编程方式访问 bitlocker 恢复选项卡以备份恢复密码

• http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/70803ee5-bb6b-4b27-a23a-51b4a77805fb/

他们都建议（最终）这样的实现：

 public String GetBitlockerKey(string compName)
    {
        string bitlockerPassword = string.Empty;
        DirectoryEntry deEntry = new DirectoryEntry(_path);
        DirectorySearcher searcher = new DirectorySearcher(_path);
        searcher.SearchScope = SearchScope.Subtree;
        searcher.ReferralChasing = ReferralChasingOption.All;

        try
        {
            searcher.Filter = String.Format("(&(objectCategory=Computer)(cn={0}))", compName);
            SearchResult result = searcher.FindOne();
            object recoveryInformation = result.GetDirectoryEntry().Properties["msFVE-RecoveryInformation"].Value;

            if (recoveryInformation != null)
            {
              // Do stuff with recovery information...
            }
            else
            {
                bitlockerPassword = "Failed to find the computer object.";
            }
        }
        catch (Exception e)
        {
            // handle execptions
            return e.Message;
        }
        return bitlockerPassword;
    }

...但是该属性不存在-“msFVE-RecoveryInformation”属性。我想错了吗？我认为这不是权限问题，因为我可以通过 AD 访问 bitlocker 密钥。知道我做错了什么吗？

Answer 1

我刚刚完成了自己的 C# 脚本，用于检索 Bitlocker 恢复 ID 和密钥。我想我明白你缺少什么了。

我的步骤：

1）连接并在 Active Directory 中找到主机名（在您的情况下为 compName）

2) 获取 FindOne() 结果并使用 SearchRoot 集作为 result.path 进行另一个 Active Directory 搜索。

var Result = directorySearcher.FindOne();

    var Rpath = Result.Path;
    var BTsearch = new DirectorySearcher(Rpath)
    {
        SearchRoot = Result.GetDirectoryEntry(), //without this line we get every entry in AD.
        Filter = "(&(objectClass=msFVE-RecoveryInformation))"
    };

3）从那里您可以指定您正在寻找的恢复信息并拉出其他属性。

我的完整脚本供参考：

using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

public class AD
{
    public AD()
    {
        ActiveDirectory = new DirectoryEntry("LDAP://" + 
    Environment.UserDomainName);
    }

public DirectoryEntry ActiveDirectory { get; private set; }

public ADbitLock GetBitLocker(string hostname)
    {
        var output = new StringBuilder();

        DirectorySearcher directorySearcher = new DirectorySearcher(ActiveDirectory);
        directorySearcher.Filter = "(&(ObjectCategory=computer)(cn=" + hostname + "))";

        var Result = directorySearcher.FindOne();

        var Rpath = Result.Path;
        var BTsearch = new DirectorySearcher(Rpath)
        {
            SearchRoot = Result.GetDirectoryEntry(), //without this line we get every entry in AD.
            Filter = "(&(objectClass=msFVE-RecoveryInformation))"
        };

        BTsearch.PropertiesToLoad.Add("msfve-recoveryguid");
        BTsearch.PropertiesToLoad.Add("msfve-recoverypassword");

        var GetAll = BTsearch.FindAll();

        var BT = new ADbitLock(hostname);

        foreach (SearchResult item in GetAll)
        {
            if (item.Properties.Contains("msfve-recoveryguid") && item.Properties.Contains("msfve-recoverypassword"))
            {
                var pid = (byte[])item.Properties["msfve-recoveryguid"][0];
                var rky = item.Properties["msfve-recoverypassword"][0].ToString();

                    BT.AddKey(pid, rky);
                var lnth = BT.RecoveryKey.Count - 1;

                System.Diagnostics.Debug.WriteLine("Added... " + BT.PasswordID[lnth] + " for: " + BT.RecoveryKey[lnth]);
            }
        }

        return BT;


    }
}

public class ADbitLock
{
    public ADbitLock(string HostName)
    {
        SystemName = HostName;
        PasswordID = new List<string>();
        RecoveryKey = new List<string>();
    }

    public void AddKey(byte[] ID, string Key)
    {
        PasswordID.Add(ConvertID(ID));
        RecoveryKey.Add(Key);
    }

    private string ConvertID(byte[] id)
    {
        return
          id[3].ToString("X02") + id[2].ToString("X02")
        + id[1].ToString("X02") + id[0].ToString("X02") + "-"
        + id[5].ToString("X02") + id[4].ToString("X02") + "-"
        + id[7].ToString("X02") + id[6].ToString("X02") + "-"
        + id[8].ToString("X02") + id[9].ToString("X02") + "-"
        + id[10].ToString("X02") + id[11].ToString("X02")
        + id[12].ToString("X02") + id[13].ToString("X02")
        + id[14].ToString("X02") + id[15].ToString("X02")
            ;
    }

    public string SystemName { get; private set; }
    public List<string> PasswordID { get; private set; }
    public List<string> RecoveryKey { get; private set; }
}

编辑：正如 Barry 在下面评论的那样，如果您无权访问 bit-locker 恢复密钥，则 findAll 搜索返回 0 计数。