Notification

Icon
Error

Bitlocker keys - What permissions are needed to view

Posted: Friday, May 20, 2022 9:04:47 AM(UTC)
ccm

ccm

Member Original PosterPosts: 3
0
Like
This issue has been solved! Click here to view the solution
Hello,

I'm using lansweeper to report bitlocker keys in ad, however it only works if the user have domain admin rights something that i don't pretend!

I follow the guide to give lanswepper user local admin on machines and domain user in ad, but with that bitlocker report is empty...
SWResearch
#1SWResearch Member Posts: 4  
posted: 5/20/2022 9:18:58 AM(UTC)
Originally Posted by: ccm Go to Quoted Post
Hello,

I'm using lansweeper to report bitlocker keys in ad, however it only works if the user have domain admin rights something that i don't pretend!

I follow the guide to give lanswepper user local admin on machines and domain user in ad, but with that bitlocker report is empty...


Account requires access to computer objects in AD, to access ms-Mcs-AdmPwd attribute on the computer object.
ccm
#2ccm Member Original PosterPosts: 3  
posted: 5/20/2022 9:25:36 AM(UTC)
Is possible to create an account able to retrive the keys but don't have domain admin rights?
SWResearch
#3SWResearch Member Posts: 4  
posted: 5/20/2022 9:43:27 AM(UTC)
It doesn't require Domain Admin rights, just needs permissions to manage computer objects. For example all of our helpdesk staff have access to objects, i.e. so they can move them between OUs, delete or add computers, but they're not members of the Domain Admin group.

ccm
#4ccm Member Original PosterPosts: 3  
posted: 5/20/2022 11:04:27 AM(UTC)
Originally Posted by: SWResearch Go to Quoted Post
It doesn't require Domain Admin rights, just needs permissions to manage computer objects. For example all of our helpdesk staff have access to objects, i.e. so they can move them between OUs, delete or add computers, but they're not members of the Domain Admin group.



So should i create a group with that permissions or windows already have an pre created group with that settings?

Thanks
SWResearch
#5SWResearch Member Posts: 4  
posted: 5/20/2022 1:34:18 PM(UTC)
Apologies I was mixing up LAPS attribute and BitLocker recovery information, the attribute was msFVE-REcoveryInformation, see the following for details on setting up access, https://kb.wisc.edu/iam/page.php?id=72670

Active Discussions

Lansweeper mail reports
by  Andy.S   Go to last post Go to first unread
Last post: 7/1/2022 2:38:18 PM(UTC)
Lansweeper Adding an "Employee ID" column to an asset report
by  ABaker  
Go to last post Go to first unread
Last post: 6/30/2022 3:06:54 PM(UTC)
Lansweeper Firefox 102 & ESR 91.11
by  Esben.D   Go to last post Go to first unread
Last post: 6/30/2022 8:12:07 AM(UTC)
Lansweeper Performance report not shows result
by  NoraD  
Go to last post Go to first unread
Last post: 6/28/2022 7:52:27 AM(UTC)
Lansweeper Duplicate AD Users
by  Randy Costa   Go to last post Go to first unread
Last post: 6/27/2022 5:25:04 PM(UTC)
Lansweeper Multiple Devices Owned by Users (asset relations)
by  Adrian Scott  
Go to last post Go to first unread
Last post: 6/22/2022 5:34:51 PM(UTC)