ConvertTo-SecureString

Question

Hi All

i have one script running one one server lets say server01 and in the script i have the below starting lines. This script runs once every 24 hours and it has a task scheduler job. i want to move this script to server02. if i get the below lines correct then i guess i can run this script on server02.

$Key = "D:\K1.key" 
$Username = "******@contoso.onmicrosoft.com"  
$Pass = cat $Key | ConvertTo-SecureString  
$Credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $Pass

On server02, i have password for user1 lets say P@sswOrd and if i just run the below commands from powershell and copy the script from Server01 to server02 and execute in server02 will it work?Please guide me.

$Pass = ConvertTo-SecureString "P@sswOrd" -AsPlainText -Force 
$Credentials = New-Object System.Management.Automation.PSCredential ("******@contoso.onmicrosoft.com", $Pass) Connect-OrganizationAddInService -Credential $Credentials

Answer 1

In my answer I gave you the way to securely store the credential. In the link I provided in that answer there was also a way to create the credential if it hasn't been created beforehand.

You can place the user and password into a file for a one-time use and modify the way that the values are acquired. Let's say you placed both the user and password into one text file. The code in your script would read those files, use the user/password to create and store the credential, and then delete the file(s) that held the plain-text user id and password.

From then on, the scheduled task would find the credential in the XML file. If you want to change the user id, or the password, delete the XML file holding the credential and create a new file for the user id and password. The next time the scheduled task runs it will remove those plain-text files and store the new credential in the XML file.

The user/password is exposed only for a brief time (and if it/they are properly secured only a very few people would have access to it/them). It's not an absolutely secure method, but it will reduce your exposure by quite a lot.

Answer 2

Hi @Glenn Maxwell ,

your "server02"-script works fine here:

$Pass = ConvertTo-SecureString "P@sswOrd" -AsPlainText -Force 
$Credentials = New-Object System.Management.Automation.PSCredential ("******@contoso.onmicrosoft.com", $Pass)

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards Andreas Baumgarten

Answer 3

Yes, your code will function in the way you expect . . . BUT it has a gaping security hole. You have the user ID and password in a plain-text file. Is the file kept in a place that prevents all but a select few accounts to read that file?

Have a look at this for a way to store the credential in a file: https://stackoverflow.com/questions/40029235/save-pscredential-in-the-file

Once the credential has been stored in the file, protect the file from unauthorized access.

Remember: the stored credential can only be decrypted by the user that created it and only on the machine from which the credential was created. In other words, you can't copy the file to another machine and, even with the same user, expect to use it.

If you're using the credential in a scheduled task, the credential should be created using the same account under which the task runs.

Answer 4

should i use these both or one syntax

$Pass = ConvertTo-SecureString "P@sswOrd" -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential ("******@contoso.onmicrosoft.com", $Pass)
Connect-OrganizationAddInService -Credential $Credentials

or

$username = "******@contoso.onmicrosoft.com"
$Pass = Get-Content 'C:\string.txt' | ConvertTo-SecureString
$Credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $Pass