Organizations that use Group Policy to set access control
might want to consider delegating permissions to users who are not domain
administrators, such as members of the Helpdesk staff.
Domain administrators can delegate the ability to read
BitLocker recovery passwords to users who normally do not have this privilege,
or the ability to read stored TPM owner information.
This section describes how to delegate permissions in
three steps:
1.
Create a new user group.
2.
Add members to the group (for
example, add Helpdesk staff members).
3.
Assign control access and read
property permissions to the group. By running the following script, replacing
the value of strGroupName with the name of your security group
1.
Paste the following script into a
new text file named DelegateBitLocker.vbs and run “cscript
DelegateBitLocker.vbs” from an elevated command prompt.
'To refer to other groups, change the group name (ex: change to
"DOMAIN\Help Desk Staff")
strGroupName = "Shared.BitLocker_Admins"
' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
'
--------------------------------------------------------------------------------
'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
= &H5 'Allows an object to do
something
'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE
= &H2 'ACE applies to target
and inherited child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE
= &H8 'ACE does NOT apply to
target (parent) object
'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_CONTROL_ACCESS
= &H100 'The right to view confidential attributes
Const ADS_RIGHT_DS_READ_PROP
= &H10 ' The right to read
attribute values
'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT
= &H1 'Target object type is
present in the ACE
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 'Target inherited object type is present in
the ACE
' --------------------------------------------------------------------------------
' BitLocker schema object GUID's
'
--------------------------------------------------------------------------------
'- ms-FVE-RecoveryInformation object:
' includes the BitLocker recovery
password and key package attributes
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION =
"{EA715D30-8F53-40D0-BD1E-6109186D782C}"
'- ms-FVE-RecoveryPassword attribute: 48-digit numerical password
SCHEMA_GUID_MS_FVE_RECOVERYPASSWORD =
"{43061AC1-C8AD-4CCC-B785-2BFAC20FC60A}"
'- ms-FVE-KeyPackage attribute: binary package for repairing damages
SCHEMA_GUID_MS_FVE_KEYPACKAGE =
"{1FD55EA8-88A7-47DC-8129-0DAA97186A54}"
'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"
'Reference: "Platform SDK: Active Directory Schema"
'
--------------------------------------------------------------------------------
' Set up the ACE to allow reading of all BitLocker recovery information
properties
' --------------------------------------------------------------------------------
Set objAce1 = createObject("AccessControlEntry")
objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce1.Trustee = strGroupName
objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS + ADS_RIGHT_DS_READ_PROP
objAce1.InheritedObjectType = SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION
' Note: ObjectType is left blank above to allow reading of all properties
'
--------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------
Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" &
objRootLDAP.Get("defaultNamingContext") ' e.g. string
dc=fabrikam,dc=com
Set objDomain = GetObject(strPathToDomain)
WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")
Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl
'
--------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
'
--------------------------------------------------------------------------------
objDacl.AddAce objAce1
objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo
WScript.Echo "SUCCESS!"
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.