0 votes

Hello,

We did implement LAPS & Bitlocker in our AD environment. To let the helpdesk retrieve those information, we created a bunch a custom command that fetch the AD and log the result as warning

Example:
$Context.LogMessage("Local administrator password: "+$Context.TargetObject.Get("ms-Mcs-AdmPwd") , "Warning")

We chose the custom action over simply displaying the attribute in the webGUI. This way we can audit who activated the custom action on what machine.

Sadly, the output of the custom command remains in the Adaxes log, and everyone with the view log ability can retrieve the already retrieved password without leaving any trace.

How could we improve that? I thought about sending it per mail, but this is not possible as we have a "no password per email" policy

by (750 points)

1 Answer

0 votes
by (270k points)
selected by
Best answer

Hello Pierre,

As a solution you can create a Home Page Action that will display only the ms-Mcs-AdmPwd property. For information on how to create a Home Page Action, check the following tutorial: http://www.adaxes.com/tutorials_WebInte ... s.htm#view.

For information on how to grant permissions to view the ms-Mcs-AdmPwd property to specific users, check the following tutorial: http://www.adaxes.com/tutorials_Delegat ... erties.htm.

However, this solution will not allow you to check who and when viewed the property.

0

Dear support,

Thank you for your suggestion. This would work for the LAPS, but I don't see how I could achieve the same for the Bitlocker recovery key.

Here is the script:

$value=$False
foreach($child in $Context.TargetObject){
    if($child.get("ObjectClass") -eq "msFVE-RecoveryInformation"){
        $value=$True
        $guid=new-object -TypeName System.Guid -ArgumentList @(,($child.get("msFVE-RecoveryGuid")));
        $Context.LogMessage($child.get("cn")+": Bitlocker recovery key: "+$child.get("msfve-recoverypassword")+" (ID: "+$guid+")", "Warning")
    }
}
if(-not $value){
    $Context.Cancel("Unable to retrieve recovery key for %cn%!")
}

It enumerate the sub items of the computer account and format it in an "user friendly" way for the helpdesk.

Best for us would be to have some way to give custom command feedback to the end user without it being persisted in the log.

0

Hello Pierre,

We can suggest a similar solution for BitLocker as well. You can configure a Scheduled task that will run a similar script. The script will pull the necessary BitLocker Information and save it to a certain attribute of the computer account. The script will perform all actions so that there will be no information in the logs except the very fact that the script was executed.

So, you will only need to distribute permissions to view the property that stores BitLocker information.

Does this solution meet your needs?

Related questions

0 votes
1 answer

Is version 2018.2 still supported? Where can I find EOL / End of Support information?

asked Dec 14, 2023 by chappyshi (90 points)
0 votes
1 answer

I have problem to connect mysql to adaxes, what adaxes is support mysql or not suport mysql. can you give a sample script to connect adaxes to mysql?

asked Jan 5, 2022 by systech (100 points)
0 votes
1 answer

Hello! We are currently trying to use the REST API to search for all group objects in our domain, but the search result is only returning 1000 objects. We tried supplying a ... the request. Is there a way to retrieve more than 1000 objects using the REST API?

asked Feb 16, 2022 by KelseaIT (320 points)
0 votes
1 answer

Hallo, I'm trying to build a function that will have two parameters $Containrer and $Filter $filter - is a LDAP filer that serach some specific objects $Containrer - is a ... is treated by powershell as a hash table, is it possible to workoroud it somhow?

asked Aug 12, 2015 by axmaster (510 points)
0 votes
1 answer

Hello, The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory ... updated by an Azure logic App. But we'd love to have this natively in Adaxes.

asked Dec 13, 2022 by Gavin.Raymen (40 points)
3,326 questions
3,026 answers
7,727 comments
544,684 users