How to Pass Credentials in PowerShell

/ Cameron Yates

In this post we are going to look at the multiple different ways to use user credentials in PowerShell.

Bare in mind, the examples listed in this post aren’t the only options available when it comes to using credentials in PowerShell, but these examples are a good place to start.

Having your domain username and password in a script –

BAD PRACTICE – DEGRADES THE SECURITY OF THE ACCOUNT

$username = “domain\username”
$password = “NotSecurePassword”
$Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password

Manuel entry for single command use:

$Credentials = Get-Credential

By specifying the ‘Get-Credential’ cmdlet we can enter the user credentials we require

PowerShell Get-Cred

For a script with multiple commands requiring credentials –

You will need to do something similar to the below example as to avoid having to continually input your credentials.

In summary, we are going to enter the required domain password, pass it to the ‘ConvertFrom-SecureString’ cmdlet, which will save the password to a text file in a encrypted string format at the file path C:\test\password.txt

$Credentials = Get-Credential
$Credentials.Password | ConvertFrom-SecureString | Set-Content C:\test\password.txt
$Username = $Credentials.Username
$Password = Get-Content “C:\test\password.txt” | ConvertTo-SecureString
$Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password

Not necessary but if you want to pass your domain password into it’s own variable you can do this:

$Password = $Credentials.GetNetworkCredential().Password

Avoid putting in the domain/username field –

Alternatively if you want to save putting in both your username and your password every time you run the script, you can set it so you will only need to input your password when the script runs.

To do this you would put your domain\username in the script, similar to this –

$username = “domain\username”

and then include the below command at the beginning of the script, which will force you to enter in your domain password upon running the script.

read-host -assecurestring | convertfrom-securestring | out-file C:\test\password.txt

It will look similar to this:

$username = “domain\username”
$password = cat C:\test\password.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Just like the example above, this will export your domain password to the C drive test folder in an encrypted text document.

Hope this is helpful !

 

Thanks for reading – feel free to follow and stay updated 🙂  View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

9 thoughts on “How to Pass Credentials in PowerShell

  1. nice..please remember, proper English is to use the word ‘below’ after the object you’re talking about..
    in other words, pilots wouldn’t say ‘hey , look at the below objects!” they would instead say, ‘hey,look at the objects below’.
    why do people in IT think it’s OK to say things like ‘look at the below table’ instead of ‘look at the table below’?
    when did that become the norm?

    Like

    Reply

  2. I think we have missed a lot here

    The first set of code will never run, where you are entering the password manually. You ar enot converting it to secure string and PSCredential will not accept it as proper input.

    Wont’t work

    ==================================================================================
    $username = “domain\username”
    $password = “NotSecurePassword”
    $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
    ====================================================================================

    Will Work
    =============================================================================
    $username = “domain\username”
    $password = “NotSecurePassword” | ConvertTo-SecureString -AsPlainText -Force
    $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
    ============================================================================

    Or better Try this one liner
    ============================================================================
    $Credentials = New-Object System.Management.Automation.PSCredential domain\username,(‘NotSecurePassword’ | ConvertTo-SecureString -AsPlainText -Force)

    Regards,
    Vivek Sharma

    Like

    Reply

  3. An another way : Save credentials in a .xml file and use it (them) later
    $Account = “MyDomain\MyAccount”
    $AccountPassword = “123456” | ConvertTo-SecureString -AsPlainText -Force
    $Credentials = New-Object System.Management.Automation.PSCredential($Account,$AccountPassword)
    # and for later use, export it to a file
    $Credentials | Export-CliXml -Path c:\temp\credential.xml

    # Perhaps better, sore all credentials in a unique .xml file and use it later
    $Directory = “C:\temp”
    $PasswordFile = Join-Path -Path $Directory -ChildPath “AllCredentials.xml” # Define a HashTable that contains multiples credentials
    $Hash = @{
    Srv1 = Get-Credential -Message “Please enter the credentials for Account on SRV1 – form : Domain\Account or IP\Account or Machine\Account”
    Srv2 = Get-Credential -Message “Please enter the credentials for Account on SRV2 – form : Domain\Account or IP\Account or Machine\Account”
    Srv3 = Get-Credential -Message “Please enter the credentials for Account on SRV3 – form : Domain\Account or IP\Account or Machine\Account”
    }

    # Show $hash : it contains all credentials
    $Hash | Export-Clixml -Path $PasswordFile

    # later you can add a new value in he hash table with the method add (key, value)
    $hash.add(“Srv4” , (Get-Credential -Message “Please enter the credentials for Account on SRV3 – form : Domain\Account or IP\Account or Machine\Account”))

    # You can use later by importing the previously saved credential
    $Credentials = Import-Clixml -Path $PasswordFile
    Invoke-Command -ComputerName srv1 -Credential $Credentials.Srv1 -ScriptBlock { MyCommand}
    Invoke-Command -ComputerName srv2 -Credential $Credentials.Srv2 -ScriptBlock { MyCommand}
    Invoke-Command -ComputerName srv3 -Credential $Credentials.Srv3 -ScriptBlock { MyCommand}
    Invoke-Command -ComputerName srv4 -Credential $Credentials.Srv4 -ScriptBlock { MyCommand}
    # Biggest advantages : easy to implement and 100% secure.
    # : The file contain multiples passwords, AND Domain\accounts or machine\accounts
    # Biggest drawback : Only use on the same account on the same computer
    # Limitation : Only use on the same account on the same computer,
    # but you can generate the hash with a runas “AccountthatRunTheScheduledTask”
    # and one limitation disappears.

    Like

    Reply

  4. Just a thought;
    I think if we keep the passwords in the text file (even though its in a secure form) and once the file is in the wrong hands, one can decrypt the password easily by running the command below:
    $(New-Object System.Management.Automation.PSCredential “a”,$(Get-Content path\to\password.txt | ConvertTo-SecureString)).GetNetworkCredential().Password

    Like

    Reply

  5. Well, I’m sure it is a simple task but you made it complicated as hell.
    I’m trying to hack it for the last 4 hours and still cannot get it to work.
    I’m registered just to tell you this. You guys suck!
    just post the complete code, less talk more complete code!

    Like

    Reply

  6. Pingback: Login Credential - UK Login Database

Leave a reply to SysadminGuides Cancel reply