The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 25 Jan 2012

Basic / Introductionary, PowerShell

Tags: ,


One of the great problems with creating scripts that will be run when you’re not around is how to provide them with the credentials that they need.  Microsoft have intentionally tried to make it difficult to simply include username and password information in the raw, in scripts.  This is a good thing, but it can be an initial stumbling block when you’re getting started.

To get around this irritation, without bypassing the security it provides, I store my password in an encrypted file, which called upon by every script that needs it…

First you have to create an encrypted file with your password in, I also create a file with my username in as well, its not encrypted so doesn’t do anything for security but just feels more complete

$Credential = Get-Credential							# Prompts you to enter your password
$credential.UserName | Set-Content "User.fil"					# Stores username in User.fil (not encypted)
$credential.Password | ConvertFrom-SecureString | Set-Content "Pass.fil"	# Stores password in Pass.fil

Once stored, you can then load up the contents of the files in order to create a PsCredential object, which is exactly what the Get-Credential CmdLet creates.

$user = Get-Content "User.fil"
$pass = Get-Content "Pass.fil" | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PsCredential($user, $pass)

Now you can use any PowerShell CmdLet that needs authentication credentials, for example…

Get-WMIObject -query "SELECT * FROM Win32_BIOS" -Credential $cred -Computer "192.168.10.251"

To make things nice and easy to use I use the follwoing script to recreate my credentails files as required (for example when I have to change my domain password)

$UserFile = "User.fil"
$PassFile = "Pass.fil" 
 
# Remove old files if they exist
if (Test-Path $UserFile) {
    Remove-Item $UserFile
}
if (Test-Path $PassFile) {
    Remove-Item $PassFile
}
 
# Request username and password, and store
$cred = Get-Credential -Credential ($env:userdomain + "" + $env:username)	# Pre-populates username field with domain username
$cred.UserName | Set-Content $UserFile -Force
$cred.Password | ConvertFrom-SecureString | Set-Content $PassFile -Force
Write-Host "Credentials saved"

Beware! If you have recently changed your password, and overnight you have a script that runs and connects to lots of machines with your old password, you will lock your account out (if that’s how your domain is set up, and you haven’t remembered to recreate your password file).

Therefore its worth checking for an unauthorised response when using. Its good practice to expect to have to catch connection errors anyway, so its just a case of adding a specifc catch for the case of your password being invalid, for example…

try {
    $proxy = New-WebServiceProxy -Uri $endpoint -Cred $credential -ErrorAction:Stop
} catch {
    Write-Host $_
    if ($_.ErrorDetails.Message -match "401: Unauthorized") {
        Remove-Item $UserFile
        Remove-Item $PassFile
        Write-Host "User/pass credential cache files have been deleted"
    } else {
         Write-Host $_.Exception.Message
         Write-Host $_.Exception.GetType().FullName
    }
    Exit
}

The above was based on info I originally found at BSonPoSh, there are plenty of other similar examples of how to do this on the web, and some different methods as well. You can also see the section on my Wiki which covers this, to be found here – PowerShell Credentials.


Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.