Prof. Powershell

Who Are You? Or, Slipping By the Get-Credential Cmdlet

Get past the Get-Credential cmdlet security pop-up with this nifty trick that automatically enters credentials as needed.

• By Jeffery Hicks
• 09/06/2011

It is pretty common to take advantage of alternate credentials in Windows PowerShell. Typically this involves using the Get-Credential cmdlet either directly:

PS C:\> $cred=Get-Credential "mydomain\admin"

Or indirectly:

PS C:\> get-wmiobject win32_service -computer SERVER01 -credential "mydomain\admin"

In either instance you get a graphical dialog that requires user intervention. But what if you want to get around the popup? We need another way of creating a PSCredential object. Turns out, this is not difficult.

A PSCredential consists of a user name and a password. The password is stored as a secure string. First, let's get a username. It must be in the format domain\username. Or if a local account, computer\username:

PS C:\> $user="mydomain\admin"

Now for the password. Remember, it has to be a secure string so we'll use the ConvertTo-SecureString cmdlet:

PS C:\> $securePass=ConvertTo-SecureString -string $Password -AsPlainText -Force

This takes the value of $Password, set elsewhere as plain text, and converts it to a secure string. You need the -AsPlainText and -Force parameters. An alternative is to use Read-Host:

PS S:\> $securepass=Read-Host "Enter the password" -AsSecureString
Enter the password: ********
PS S:\> $securepass
System.Security.SecureString

Now, to create the new credential object:

PS S:\> $Credential = New-Object System.Management.Automation.PSCredential $User, $SecurePass
PS S:\> $credential

UserName          Password
--------          --------
mydomain\admin    System.Security.SecureString

Remember, this didn't authenticate the user. All PowerShell did was create a credential object. You won't know if it is valid until you try to use it.

This credential only exists for as long as your PowerShell session is open. But be careful, because even though the password is stored as a secure string, if I have interactive access to the console session, I can still see the password by invoking the GetNetworkCredential() method:

PS S:\> $Credential.GetNetworkCredential()

UserName          Password          Domain
--------          --------          ------
admin             P@ssw0rd          mydomain

This isn't necessarily a security violation, unless you walk away and leave your session wide open for anyone to access. There may also be situations where you have a legacy application that can't use a PSCredential and you need to pass values like username and password to it. Just be aware.

IMPORTANT: It is a security no-no to hard-code any password in any plain text file. Ideally, you'll want to provide some secure mechanism for the script user to provide the necessary password. Also, don't forget to secure your console if you are keeping the credential object.