Passwords and alternative credentials in PowerShell

 Sep 05, 2014

On a number of PowerShell courses, I have been asked by students what is an easy way to use or save alternative (usually Administrator) credentials when remoting into another machine, running an unattended script, etc. I am asked how a username and password can be saved, especially since Microsoft’s guidelines recommend that an Administrator signs on with their standard user credentials, and only use their administrative credentials when needed. Well, of course, there are a number of ways of doing this; both recommended and not recommended. The first thing to remember though is that PowerShell does not allow a password to be passed as a plain text string in the –Credential parameter (and that’s a good thing!). Check your help files, you cannot pipe any input to the Get-Credential command, nor is there a –Password parameter! However, the –Credential parameter does accept a PowerShell object type of System.Management.Automation.PSCredential. This object contains 2 properties only; a username property as a plain string, and an encrypted string for the password property:

Passwords and alternative credentials in PowerShell

So, how can we use Alternative Credentials in our scripts, without having to enter username and passwords for each command? The simplest way is to assign the Get-Credential to a variable, which will prompt you for the username and password in a pop-up dialog box, as in:

Passwords and alternative credentials in PowerShell

This allows us to enter the required credentials once, and then reuse those credentials in multiple commands later on in the script or PowerShell session. If you use the –UserName parameter to specify the username, you can also use the –Message parameter to specify your own prompting message. Alternatively, you can replace the –UserName and the –Message parameters with the -Credential parameter to specify a pre-created PSCredential object type. Another option, if you use alternative credentials regularly in your PowerShell sessions, is to put the Get-Credential command into a profile script. Also, keep in mind here that the username, password or credentials are not validated with the Get-Credential command, and secondly, the contents of the credential variable, once defined, are only available for that session. But what if you want to run a script in unattended mode, such as a regularly scheduled script? Well, in a production environment, I would generally create a managed service account specifically for the purpose of that script or use another service account such as the Network Service Account provided it was appropriate. Failing that, it is possible to save a password to a file, preferably in an encrypted form. This method is not recommended by Microsoft nor should this be used in a production environment, as it is a significant security risk, even if you only save the password in the file without any reference to a user name. Stored passwords are too easily discovered and compromised, and as a best practice you should avoid writing a password to disk, just as you should avoid writing your passwords on a piece of paper and sticking them to your monitor. (OK, own up, who has done that before?) So now I have got that disclaimer out of the way, this is how you could do it in a testing environment. The following command will create a text file with the password you specify in encrypted form (the encrypted string is far longer than that shown on screen).

Passwords and alternative credentials in PowerShell

Once the text file has been created (hopefully, in a more secure location than in my example below!), this is how the contents can be read back in as a PSCredential object into a new variable:

Passwords and alternative credentials in PowerShell

The $cred variable can then be used in subsequent commands during that script session. Of course, there are a few other ways of accomplishing the above tasks, such as creating a secure string from a plain password, such as:

Passwords and alternative credentials in PowerShell

-and the $securepassword variable could again be used to build the PSCredential object as above. Hopefully, this has given you some thoughts for your own scripts, but for your production environments please remember Microsoft’s security motto "Stored passwords are compromised passwords."

How do your Excel skills stack up?   

Test Now  

About the Author:

Gordon Cowser  

With over 22 years real world and training experience, Gordon is our most senior IT Infrastructure trainer. His expertise includes but is not limited to; Microsoft Server and Client OS, Messaging, Collaboration, Active Directory and Network Infrastructure. Gordon also specialises in SharePoint technologies training in both technical and end user aspects. With his extensive skill-set he brings a thorough mentoring capability to the classroom where he can advise on technical issues and challenges often beyond the scope of the course curriculum. A very approachable and experienced training professional, he has the ability to establish credibility fast with students at all levels.

Read full bio
top
Back to top