locked
Bitlocker - Problem with script "Add-TPMSelfWriteACE.vbs" RRS feed

  • Question

  • I study the article about the BitLocker and integration the recovery keys with AD DS on W2k8 R2 Server (BitLocker Drive Encryption Configuration Guide)

    I'm on the point - "Set the required permissions for backing up TPM password information". When I try to run the script "Add-TPMSelfWriteACE.vbs", then I receive the error: "(null): The security ID structure is invalid" for the Line(119, 1)

     

    Add-TPMSelfWriteACE.vbs

    Line 116:  objDacl.AddAce objAce1
    Line 117:
    Line 118: objDescriptor.DiscretionaryAcl = objDacl
    Line 119: objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
    Line 120: objDomain.SetInfo

     

    What am I missing or doing wrong? I tried to sreach the solutions for it. Now I try to ask you.

    Thursday, January 5, 2012 12:45 PM

Answers

  • OK, I found it here . As my OS has the german language and I installed then the MUI Pack, I had to change the variable "SELF" to "SELBST" direct in the script. Installation was sucessful, error has gone.
    • Marked as answer by Dawid Mitura Thursday, January 26, 2012 3:34 PM
    Thursday, January 26, 2012 3:34 PM

All replies

  • I saw the threat add-tpmselfwriteace.vbs and a constraint error & Bitlocker trouble. and my domain administrators "administrator" and "dawid.mitura" are both in the group of "Schema Admins". When I try to run the script with the command "runas /user: "program"", comes the same error.

    I see the Code 80070539 in the error message, too.

    Thursday, January 5, 2012 1:13 PM
  • I see in the AD Schema the attributeSchema CN="ms-TPM-OwnerInformation" with IDAPDisplayName="msTPM-OwnerInformation".

    In the Microsoft documentation "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information" I read:

    • Section: "Set the required permissions for backing up TPM password information"
    • Point no.3: "Your domain is configured so that permissions inherit from the top-level domain object to targeted Computer objects."
    • Text: "You can then verify your configuration as described later in this document, or by clicking the Effective Permissions button while viewing the properties of a Computer object to check that SELF can write the msTPM-OwnerInformation attribute."

     

    If I try to set this permission on the top-level domain or direct on the DC, I don't see the "msTPM-OwnerInformation" in the "Apply to" permissions list. Why? What am I missing?

    Thursday, January 19, 2012 11:31 AM
  • OK, I found it here . As my OS has the german language and I installed then the MUI Pack, I had to change the variable "SELF" to "SELBST" direct in the script. Installation was sucessful, error has gone.
    • Marked as answer by Dawid Mitura Thursday, January 26, 2012 3:34 PM
    Thursday, January 26, 2012 3:34 PM