List of computers with BitLocker recovery keys

Question

We are in the process of removing old computer accounts that are in AD, where the account password is older than 60 days (currently there's over 15,000 accounts that fall into this bucket). To get this list, I've ran this simple dsquery statement to generate a list:

dsquery computer -stalepwd 60 -limit 100000 > C:\Temp\Servers.txt

We currently have GPOs in place that require computers to use BitLocker and to store their recovery keys in AD. The problem is, of the 15,000+ computer accounts that are expired, I can't delete ones that have a BitLocker in AD for archival purposes, so I need to find a way to strip down the list. The end result that I would like is a list of computer accounts that have an expired computer account password, but no BitLocker recovery key stored in AD.

Has anyone done this before or know where to start looking to get something like this accomplished?

Answer 1

Go grab "AdFind" from Joe Richards' site at http://www.joeware.net and give this script a shot (obviously, spot-test the results until you're confident it's doing what you want reliably).

@echo off
for /f "usebackq delims=" %%i in (`dsquery computer -stalepwd 60 -limit 100000`) do (
    call :do_find %%i
)
goto end

:do_find
rem Search for computer at specified DN without a Bitlocker recovery key.
adfind -b %1 -f "(msFVE-RecoveryPassword=*)" 2>NUL | find "0 Objects returned" >NUL 2>NUL 
if errorlevel 1 goto end

rem Echo DNs of computers w/o bitlocker recovery keys
echo %1

:end

That should loop thru the computers w/ "stale" passwords checking for the presence of an object with a non-null attribute of "msFVE-RecoveryPassword" at the DN where each "stale" computer was found. If no objects were returned then no recovery password was present in the directory.

Joe Richards really deserves a pat on the back for his tools. They make life administering AD so much easier.