Windows

PowerShell code to store user credentials encrypted for re-use

Michael Lubinski provides the PowerShell code and explanation of how it works for those who want to securely store a password for re-use.

There may be times, when writing a PowerShell script, that you want to securely store a password for re-use. I have found this useful when connecting to Exchange or Active directory services so you don't have to plague the administrators with repeated login prompts. Taking security into mind, there is a small decision you must make on whether you want to store your active directory password as an encrypted string on your hard drive as normal secure strings are only stored in memory.

I will step through the code below, giving you a more detailed explanation on each section.

#STORED CREDENTIAL CODE
$AdminName = Read-Host "Enter your Admin AD username"
$CredsFile = "C:\$AdminName-PowershellCreds.txt"
$FileExists = Test-Path $CredsFile
if  ($FileExists -eq $false) {
    Write-Host 'Credential file not found. Enter your password:' -ForegroundColor Red
    Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File $CredsFile
    $password = get-content $CredsFile | convertto-securestring
    $Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist domain\$AdminName,$password}
else
    {Write-Host 'Using your stored credential file' -ForegroundColor Green
    $password = get-content $CredsFile | convertto-securestring
    $Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist domain\$AdminName,$password}
sleep 2
Write-Host 'Connecting to Active Directory'
#Establishes connection to Active Directory and Exchange with the specified user acccount and password.
Connect-QADService -Service 'server' -Credential $Cred -ErrorAction Stop | out-Null
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server.fqdn.com/PowerShell/ -Credential $Cred -Authentication Kerberos -ErrorAction SilentlyContinue
Import-PSSession $Session -ErrorAction SilentlyContinue -AllowClobber
if(!$?)
    {write-host "Failed importing the exchange pssession, exiting!"
    exit}
#END OF STORED CREDENTIAL CODE

Explanation of the code

$AdminName = Read-Host "Enter your Admin AD username"
$CredsFile = "C:\$AdminName-PowershellCreds.txt"
$FileExists = Test-Path $CredsFile

This snippet is not doing anything surprising, it's asking for the Administrator's username, specifying the location of the future credential file, and checking to see if the credential file exists with test-path. Asking for the Administrator's username is required as the username is what "unlocks" the encrypted string.

if  ($FileExists -eq $false) {
Write-Host 'Credential file not found. Enter your password:'
Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File $CredsFile

This section is where the code starts to work for you. If running this for the first time, the credential file does not yet exist so you will be prompted with a typical username password box to enter your active directory credentials. PowerShell takes the username and password you have entered (as a secure string), converts it to an encrypted string and then lastly outputs it to a file. The password will look similar to this one, just lots longer: 01000000d08c9ddf0115d1118c7a0

$password = get-content $CredsFile | convertto-securestring
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist domain\$AdminName,$password}

This section is actually used twice, once if the file is not found and once if the file exists. The code assembles the PSCredential object to be used later on. You notice that the $Password variable takes the encrypted contents of our credential file we created above and converts it back to a secure string to be used for the new object called $Cred.

else
{Write-Host 'Using your stored credential file' -ForegroundColor Green
$password = get-content $CredsFile | convertto-securestring
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist domain\$AdminName,$password}

This is the other half of the IF statement from above simply stating that if the file exists we will use the stored credential file and assemble our PSCredential object exactly as the previous snippet.

Connect-QADService -Service 'gbay-ad01' -Credential $Cred
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server.fqdn.com/PowerShell/ -Credential $Cred -Authentication Kerberos

You can then use the $Cred variable to connect to various services such as Active Directory and Microsoft Exchange as shown above. The administrator will only be prompted for his username as required to "unlock" the encrypted form of the password.

I have also made the code public at either of the links below:

I hope you have enjoyed reading this and find the code here useful.

2 comments
ntatschner
ntatschner

As far as i'm aware this encrypted string will only work on the system that created it, do you know of a way that you can encrypt a password that'll work across different systems?

kspulkowski
kspulkowski

At a quick glance I do not see an option to change the admin password. Just delete the credential file?

Editor's Picks