I need to write a powershell script that i can run on any machine to connect to a server. Does the secure-string encrypt using the machine or user i.e will a secure password work on any machine in the domain or can it only be decrypted on the machine it was created on. If it is the latter is there away to encrypt the password so i can run the script on any machine
0
Add a comment
|
3 Answers
To work on other machines you'll need to create a key for use with the ConvertTo-SecureString and ConvertFrom-SecureString cmdlets.
PS C:\> $Key = (3,4,2,3,56,34,254,222,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
PS C:\>$StandardString = ConvertFrom-SecureString $SecureString -Key $Key
http://www.leeholmes.com/blog/2006/06/01/securestrings-in-powershell/
By default, the SecureString cmlets use Windows’ Data Protection API when they convert your SecureString to and from a plain text representation. The encryption key is based on your Windows logon credentials so only you can decrypt the data that you’ve encrypted. If you want the exported data to work on another system or separate user account, you can use the parameter sets that let you provide an explicit key.
2 Comments
user1221996
how secure is it having the key in the script?
Andy Arismendi
Its not. That would be like putting the cleartext password in there.
That's a great question. Here's a link to how to save your credential. I got this set up and I'm going to try my credential string on another computer logged in with another account. I'll let you know my result.
Update
I would have to say it didn't work for me. I went on the other person's machine logged in as them. I have my Credentials set up in a script called Get-MyCred:
$username = 'Domain\MyName'
$password = cat '\\server\share\securestring.txt' | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
return $cred
When I run the line where it gets my password I get an error on the other persons machine.
ConvertTo-SecureString : Key not valid for use in specified state.
At line:1 char:56
+ Get-Content O:\BCKUP\MyScripts\Cred\securestring.txt | ConvertTo-SecureString
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
+ FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
I even get the error when I log into another computer with my credentials.
3 Comments
user1221996
that would be great if you could let me know i just want a custom script that i can run on certain machines to change the ou and was going to use enter-pssession -computername dc1 -credentials user get-adcomputer %computername% | Move-ADObject -TargetPath 'ou=test,dc=test,dc=com'
E.V.I.L.
You might save the password in plain text? Make it a Hidden file?
user1221996
interesting there must be away to do this i really don't want to risk having my admins password in a plain text. Thanks for having a look though
So the only way you can a create a secure string that can be used on multiple machines is to use a key when you create the password.
On the first machine run the following to make the secure string
$Key = (3,4,2,3,56,34,254,192,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
read-host -assecurestring | convertfrom-securestring -key $Key | out-file C:\Scripts\test\securestring_movable.txt
type in the password at the prompt
then copy the secure string file onto a another machine and run
$Key = (3,4,2,3,56,34,254,192,1,1,2,23,42,54,33,233,1,34,2,7,6,5,35,43)
$password = cat C:\Scripts\test\securestring_movable.txt | ConvertTo-SecureString -Key $Key
In my use case only the secure string file lives on the remote machine. I then use Zoho's Desktop Central or Heimdal to run the script remotely. That way the key and the secure string are not on the same machine.
This way you deploy to multiple machine the secure string into the correct folder, and then you can run your script against that string. I use this to monitor laptops. The secure string holds the password to a basic account that has email. I use the account to check that key IT software is installed, that the vpn is connected and some other basic monitoring information and then if there is a problem with anything email back to IT with the details.
