3

#PSTip Storing of credentials

I frequently use different credentials to connect to some of my servers. Oh man, I wish I have just one account J As Configuration Manager is based on WMI, my most frequently used cmdlet is Get-WmiObject. And I use its Credential parameter to pass credentials I need for specific server. You can save your credentials to a variable by using the Get-Credential cmdlet.

PS> $cred = Get-Credential domain\makovec

But after some time it’s boring to do this every time I start my session. So, I am saving my credentials to a file and load it in $profile. I have three functions for working with credentials.

  1. New-DMCredential – creates a new file with credentials stored inside.
  2. Get-DMCredential – load credentials from a file (and then save it to a variable).
  3. Show-DMCredential – ehh, sometimes I forgot current password (especially after holiday). This one shows me password in clear text.

I got this idea of storing it this way from Lee Holmes’s PowerShell Cookbook. I’ve just written a function around his code. You can see dDM alias used in the following examples. This alias is used as a file name for stored credentials (used as output of New-DMCredential function and input of Get-DMCredential). The name of variable holding credential object is also based on this alias name.

PS> New-DMCredential -UserName domain\makovec -Alias dDM

It creates file with credentials. To be clear – the file doesn’t contain data in a clear text. It’s encrypted using Data Protection API.

I can use this stored credentials to assign them to a variable (this is the line I have in my $profile):

PS> Get-DMCredential -UserName domain\makovec -Alias dDM

When I want to connect to one of my servers I can use this variable:

PS> Connect-ConfigMgrProvider -ComputerName MyServer -Credential $dDM

Or I can see my password when needed:

PS> Show-DMCredential $dDM
Pa$$w0rd

Here are the functions I use. I’ve commented it inline.

function New-DMCredential
{
	[CmdletBinding()]

	param(
		[Parameter(
			Mandatory = $true,
			Position = 0
		)]
		[string]$UserName,
		[Parameter(
			Mandatory = $true,
			Position = 1
		)]
		[string]$Alias
	)

	# Where the credentials will be stored
	$path = 'c:\Scripts\Resources\cred\'

	# get credentials for given username
	$cred = Get-Credential $UserName

	# and save encrypted text to a file
	$cred.Password | ConvertFrom-SecureString | Set-Content -Path ("$path\$Alias")
}

function Get-DMCredential
{
	[CmdletBinding()]

	param(
		[Parameter(
			Mandatory = $true,
			Position = 0
		)]
		[string]$UserName,
		[Parameter(
			Mandatory = $true,
			Position = 1
		)]
		[string]$Alias
	)

	# where to load credentials from
	$path = 'c:\Scripts\Resources\cred\'

	# receive cred as a PSCredential object
	$pwd = Get-Content -Path ("$path\$Alias") | ConvertTo-SecureString
	$cred = New-Object System.Management.Automation.PSCredential $UserName, $pwd

	# assign a cred to a global variable based on input
	Invoke-Expression &quot;<code>$Global:$($Alias) = </code>$cred&quot;
	Remove-Variable -Name cred
	Remove-Variable -Name pwd
}

function Show-DMCredential
{
	param($cred)

	# Just to see password in clear text
	[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))
}

I can probably change this script to module and make it a bit more user friendly. I will do that soon. At the moment–you can do that as your homework :).

Filed in: Columns, Tips and Tricks Tags: , ,

3 Responses to "#PSTip Storing of credentials"

  1. Martin9700 says:

    The Password property on the PSCredential object has a GetNetworkCredential() method on it that will give you the password in clear text.

    $cred.GetNetworkCredential().Password

  2. Jaap Brasser says:

    Cool stuff, I wrote a similar function to this as well. I think it might be worth mentioning that to display the password you can also call the GetNetworkCredential() method of the PSCredential Object. So instead of calling Show-DMCredential -Cred $dDM you could simply do:

    $dDM.GetNetworkCredential().Password

Leave a Reply

Submit Comment

© 2016 PowerShell Magazine. All rights reserved. XHTML / CSS Valid.
Proudly designed by Theme Junkie.
%d bloggers like this: