Prof. Powershell

Alternate Alternate Credentials

Go GUI-less and avoid the Get-Credential cmdlet's dialog with this helpful script for supplying alternative credentials.

• By Jeffery Hicks
• 11/15/2011

Get the Code

In Windows PowerShell, there are a few cmdlets, like Get-WMIObject that allow you to specify a set of alternate credentials:

PS C:\> get-wmiobject win32_logicaldisk -comp SERVER02 -cred mydomain\administrator

When executed you get a dialog box from the Get-Credential cmdlet so that you can enter the password. But what if you want to avoid this interactive dialog? You can build a PSCredential "on the fly." This can be helpful in a script where you need to supply alternate credentials but you don't want the GUI. Here's how.

First, we need a user name in the format domain\username:

PS C:\> $user="mydomain\administrator"

Now we need a password, but it must be a secure string. One way is to take an ordinary string and convert it using the ConvertTo-SecureString cmdlet:

PS C:\> $pass="S3cretW0rd"
PS C:\> $securepass=ConvertTo-SecureString $pass -AsPlainText -force

When you use this cmdlet you must include the -AsPlainText and -Force parameters. Another option is to prompt the user for a password with Read-Host, converting it automatically to a secure string:

PS C:\> $pass=Read-host "enter a password" -AsSecureString
enter a password: *********
PS C:\> $pass
System.Security.SecureString

Armed with a username and secure string password, we can use New-Object to create the credential:

PS C:\> $cred=new-object system.management.automation.PSCredential $user,$pass

And just like that we have a PSCredential object.

I hope it goes without saying that you should never hard-code user names and passwords in your scripts. I might bend a bit on a user name, but never a password. Security issues aside, when you change the account password you need to remember to revise your script. The better approach is to let the user specify a username and password via parameters or command-line prompts. Then take the values and construct the PSCredential. You end up with the same result as running Get-Credential, but without the GUI.

I'll wrap up this lesson by offering up a short function you could incorporate into your scripts or functions:

#requires -version 2.0

Function New-PSCredential {

Param (
[Parameter(Position=0,Mandatory=$True,HelpMessage="Enter a username in the format domain\username")]
[ValidatePattern({^\w*\\\w*$})]
[string]$Username,
[Parameter(Position=1)]
[string]$Password

)

if ($Password) {
   $securepass=ConvertTo-SecureString -String $Password -AsPlainText -Force
}
else {
   $securepass=Read-Host "Enter a password for $username" -AsSecureString
}
#Write the new credential to the pipeline
New-Object System.Management.Automation.PSCredential $username,$securepass

} #end function

You can download this script by clicking here. One thing to be aware of is that if your password includes a $, enclose the string in single quotes. The download file includes brief comment-based help and an example. Enjoy!

• Code Download