Notification

Icon
Error

Bitlocker keys - What permissions are needed to view

Posted: Friday, May 20, 2022 9:04:47 AM(UTC)
ccm

ccm

Member Original PosterPosts: 3
0
Like
This issue has been solved! Click here to view the solution
Hello,

I'm using lansweeper to report bitlocker keys in ad, however it only works if the user have domain admin rights something that i don't pretend!

I follow the guide to give lanswepper user local admin on machines and domain user in ad, but with that bitlocker report is empty...
SWResearch
#1SWResearch Member Posts: 4  
posted: 5/20/2022 9:18:58 AM(UTC)
Originally Posted by: ccm Go to Quoted Post
Hello,

I'm using lansweeper to report bitlocker keys in ad, however it only works if the user have domain admin rights something that i don't pretend!

I follow the guide to give lanswepper user local admin on machines and domain user in ad, but with that bitlocker report is empty...


Account requires access to computer objects in AD, to access ms-Mcs-AdmPwd attribute on the computer object.
ccm
#2ccm Member Original PosterPosts: 3  
posted: 5/20/2022 9:25:36 AM(UTC)
Is possible to create an account able to retrive the keys but don't have domain admin rights?
SWResearch
#3SWResearch Member Posts: 4  
posted: 5/20/2022 9:43:27 AM(UTC)
It doesn't require Domain Admin rights, just needs permissions to manage computer objects. For example all of our helpdesk staff have access to objects, i.e. so they can move them between OUs, delete or add computers, but they're not members of the Domain Admin group.

ccm
#4ccm Member Original PosterPosts: 3  
posted: 5/20/2022 11:04:27 AM(UTC)
Originally Posted by: SWResearch Go to Quoted Post
It doesn't require Domain Admin rights, just needs permissions to manage computer objects. For example all of our helpdesk staff have access to objects, i.e. so they can move them between OUs, delete or add computers, but they're not members of the Domain Admin group.



So should i create a group with that permissions or windows already have an pre created group with that settings?

Thanks
SWResearch
#5SWResearch Member Posts: 4  
posted: 5/20/2022 1:34:18 PM(UTC)
Apologies I was mixing up LAPS attribute and BitLocker recovery information, the attribute was msFVE-REcoveryInformation, see the following for details on setting up access, https://kb.wisc.edu/iam/page.php?id=72670

Active Discussions

Lansweeper Version 10.2.0.0
by  ThomasK   Go to last post Go to first unread
Last post: Today at 6:11:28 AM(UTC)
Lansweeper Certificates
by  Orion Poplawski  
Go to last post Go to first unread
Last post: 7/1/2022 10:11:12 PM(UTC)
Lansweeper Dell warranty lookup not working
by  LANGuy  
Go to last post Go to first unread
Last post: 7/1/2022 1:30:06 PM(UTC)
Lansweeper RedHat 8.5 & SELinux
by  QuelleAcht   Go to last post Go to first unread
Last post: 7/1/2022 1:16:19 PM(UTC)
Lansweeper Suddenly seeing Access Denied scanning errors?
by  Erik.T  
Go to last post Go to first unread
Last post: 7/1/2022 9:38:17 AM(UTC)
Lansweeper Single Line report with H/D
by  Ioannis   Go to last post Go to first unread
Last post: 7/1/2022 7:53:23 AM(UTC)
Lansweeper Lansweeper Dark Theme
by  mrobbins  
Go to last post Go to first unread
Last post: 6/30/2022 5:38:01 PM(UTC)