Who Are You? Or, Slipping By the Get-Credential Cmdlet
Get past the Get-Credential cmdlet security pop-up with this nifty trick that automatically enters credentials as needed.
- By Jeffery Hicks
It is pretty common to take advantage of alternate credentials in Windows PowerShell. Typically this involves using the Get-Credential cmdlet either directly:
PS C:\> $cred=Get-Credential "mydomain\admin"
PS C:\> get-wmiobject win32_service -computer SERVER01 -credential "mydomain\admin"
In either instance you get a graphical dialog that requires user intervention. But what if you want to get around the popup? We need another way of creating a PSCredential object. Turns out, this is not difficult.
A PSCredential consists of a user name and a password. The password is stored as a secure string. First, let's get a username. It must be in the format domain\username. Or if a local account, computer\username:
PS C:\> $user="mydomain\admin"
Now for the password. Remember, it has to be a secure string so we'll use the ConvertTo-SecureString cmdlet:
PS C:\> $securePass=ConvertTo-SecureString -string $Password -AsPlainText -Force
This takes the value of $Password, set elsewhere as plain text, and converts it to a secure string. You need the -AsPlainText and -Force parameters. An alternative is to use Read-Host:
PS S:\> $securepass=Read-Host "Enter the password" -AsSecureString
Enter the password: ********
PS S:\> $securepass
Now, to create the new credential object:
PS S:\> $Credential = New-Object System.Management.Automation.PSCredential $User, $SecurePass
PS S:\> $credential
Remember, this didn't authenticate the user. All PowerShell did was create a credential object. You won't know if it is valid until you try to use it.
This credential only exists for as long as your PowerShell session is open. But be careful, because even though the password is stored as a secure string, if I have interactive access to the console session, I can still see the password by invoking the GetNetworkCredential() method:
PS S:\> $Credential.GetNetworkCredential()
UserName Password Domain
-------- -------- ------
admin P@ssw0rd mydomain
This isn't necessarily a security violation, unless you walk away and leave your session wide open for anyone to access. There may also be situations where you have a legacy application that can't use a PSCredential and you need to pass values like username and password to it. Just be aware.
IMPORTANT: It is a security no-no to hard-code any password in any plain text file. Ideally, you'll want to provide some secure mechanism for the script user to provide the necessary password. Also, don't forget to secure your console if you are keeping the credential object.
Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org.
Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide.
You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)