HowTo: Retrieve BitLocker Passwords

If you have configured BitLocker to store the recovery keys in AD, you can use NetTools to retrieve the BitLocker Recovery Key.  With NetTools the process to retrieve the recovery key is really simple.

Select the User - Search option in the left hand pane and make sure that the Return Users Only is deselected, and then complete the following steps:

      1. Enter the name of the computer  
      2. Click Go
      3. Open the AD Properties for the computer

Select the BitLocker tab

Select the Recovery Key ID that is displayed on the BitLocker Recovery screen

Note: the BitLocker tab will only be displayed if msFVE-RecoveryInformation object exist on the computer object and you have the rights to read the object 

HowTo: Retrieve LAPS Password

Local Administrator Password Solution (LAPS) is a Microsoft component that provides automatic management of the local administrator passwords on domain joined machines, details on LAPS can be found here

In this article we will show how to use NetTools to display the password that LAPS has assigned to the local administrator account on workstations or servers. With NetTools it is very simple to retrieve the LAPS password, from the Users - Search enter the name of the machine of which you want to retrieve the LAPS password, make sure that the Return Users Only option is deselected and click Go.

In the dialog select the LAPS tab.

Note: the LAPS tab will only be displayed if the computer object has a password set and you have rights to read the ms-Mcs-AdmPwd attribute.

HowTo: Check that a user has actually changed their password

This is in response to a query raised on ActiveDir.org maillist about how to check if a user has actually changed their password and not just toggled the pwdlastset attribute to make it look like they have changed their password.   When a user changes their password a number of attributes are updated at a result of the password change, these include dbcspwd, lmpwdhistory, ntpwdhistory, pwdlastset, supplementalcredentials, and unicodepwd.  To be able to determine if the password has actually been changed, we have to look at the meta data for the object and check the last change date of the unicodepwd attribute, which contains the hash of the user’s password. 

NetTools provides a couple of ways to view the meta data of an object, via Meta data dialog, running an LDAP query, or in this use case the Last Logon, will display all the details required.

For a single user the Last Logon option will display both the pwdlastset and change date for the unicodepwd in the meta time column. This screenshot shows the results of a normal account password change, both the pwdlastset and meta time are the same.

For this user the pwdlastset has been toggled, and it shows that the pwdlastset and meta data times don't match

You can view the meta data on an object via the Meta Data Dialog, this option is provided throughout NetTools as a context menu option called Meta Data.  The easiest place to demonstrate this on the User Search option, search the account in question and then right click on the user and select Meta Data from the right click context menu.

This shows an account that has had it's password changed. 

This shows that the pwdlastset has changed but the other attributes have not changed, which is caused by the pwdlastset being toggled.

The above options are for single accounts, but it is also possible in to check multiple accounts at once.  The LDAP Search option includes an option to return meta data as if it's an attribute of the object.  This is done using the meta option in the attributes field.  We can use an Input Mode of the LDAP Search to provide a list of the samaccountnames to check.

In this example we are checking the details of the five user accounts, and it shows that user1 meta data doesn't match the pwdlastset date and time.

Here is the favorite for the above query, see Favorites on how to import 

[PwdLastSet Meta Data]
Options=880030209675869
Server=
BaseDN=##default
Filter=(&(objectclass=user)(samaccountname=##input))
Attributes=meta.time.unicodepwd, pwdlastset
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

With the introduction of v1.27, there is new query option that can be used to simplify this task.  In v1.27 the conditional attributes have been extended to support meta data queries.  This means we can do the checking in the query itself without any additional post query work.

[PwdLastSet Meta Data] 
Options=880030209675869 
Server= BaseDN=##default 
Filter=(&(objectclass=user)(samaccountname=##input)) 
Attributes=samaccountname, Pwd_Change;{if:meta.time.unicodepwd;date!=pwdlastset:"Invalid":"Valid"} 
DisplayFilter= 
Filename= 
Sort= 
Authentication=1158 
Separator=,

 

Related Articles
User Search
LDAP Search
LDAP Search Input Mode
Meta Data Dialog
Troubleshoot account lockouts
Favorites