BitLocker is a great out of the box encryption tool for disk volumes. If you read about this technology, you realize that the most challenging part is the disk recovery key and how to maintain/backup it.
Well, Microsoft did a great job documenting different ways for doing that. One of those methods is to backup keys to Active Directory. Simple and easy, even you can control this behavior via Group Policies.
Let me describe the problem with BitLocker AD Key Backup and Recovery
Now, Imagine that you enabled BitLocker key recovery in Active Directory. This will simply create an entry per volume on a specific multi value attribute in the computer object.
Now, suppose that you have deleted the computer object from AD.
Or think about this scenario : The computer has C drive with O.S and D drive for data, both are bitlocker encrypted. You decided to format the C drive and join it again to the domain, so you format the C drive, delete the computer object AD, so you could join it to the domain again. Now think about the recovery key for the D drive in this scenario !!!!! It is lost when you deleted the computer object.
Bad things happen and believe me that you will always find your self in a situation where computer objects get deleted, even as part of organized cleanup process.
You will end up, getting back to AD restore or AD recycle bin, and believe they are not that easy to deal with.
I have created a simple script that needs only read access to Computer objects and to BitLocker Recovery Information.
(Read this blog for information about how to delegate permissions to read BitLocker Information)
Now here is the script that will go to all computer objects in your Active Directory, and create a nice CSV file for you with all recovery keys for all BitLocker Computers. You can schedule it to run daily and you can keep those CSV for a month and then automatically delete the oldest.
This way, you will have a solid place to go to when some one deleted a computer object and you need the BitLocker Recovery Key. Believe me , this helped me a lot.
Note : The machine from which the script will run, should have Quest Active Directory PowerShell command. You can download it from here http://www.quest.com/powershell/activeroles-server.aspx
CSV File with Object Name, Computer Name, and other attributes. The most ipmortant one is the (Recovery Password) field. This is the one that you can use to unlock BitLocker volume.
Download the script
You can download the script from here Get-ADBitLockerInfo
Collect information from the whole directory and save the output CSV file to C:\Scripts
.\Get-ADBitLockerInfo.ps1 $filepath C:\scripts
Collect information from the whole directory and save the output CSV file current directory
.\Get-ADBitLockerInfo.ps1 $filepath .\
Collect information from computers under a certain AD Organizational Unit (OU), and save the output CSV file to C:\Scripts
.\Get-ADBitLockerInfo.ps1 $filepath C:\scripts -OrganizationalUnit “OU=LON,DC=CONTOSO,DC=COM”