powershell to store user credential for commands

Question

Dear Experts,

I'm trying to rename a list of AD computers, however as checked from MS site, following script I just created didn't give me an option to store password, so each line being used, it asked me to manually enter my AD password. What can we enhance at this point so I can store my AD password somewhere and the script will use it? if possible, I don't want to store my password in the script in plain text.

Many thanks!

$List = Import-Csv "C:\Computer_Rename_List.csv"
foreach ($List in $Lists)
{
Rename-Computer `
-ComputerName $List.Current_Name `
-NewName $List.New_Name `
-DomainCredential DOMAIN\ADMIN `
-Force
}

Answer 1

Hi @Eaven HUANG ,

You can use the ConvertFrom-SecureString method.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertfrom-securestring?view=powershell-7.2

Does this help?

Answer 2

Hello

Thank you for your question and reaching out.

I can understand you wish to pass Credentials in PowerShell session.

The PSCredential object represents a set of security credentials such as a user name and password. The object can be passed as a parameter to a function that runs as the user account in that credential object. There are a few ways that you can create a credential object. The first way to create a credential object is to use the PowerShell cmdlet Get-Credential. When you run without parameters, it prompts you for a username and password. Or you can call the cmdlet with some optional parameters.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential?view=powershell-7.2

------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

I don't think either of these docs on their own meets the original request.
Which is to avoid manually entering the password and to NOT store passwords in the script.
Therefore I'm assuming using read-host doesn't meet the requirement.

I can recommend two options for this.

Using a 256-bit AES key file and a password file.
Ensuring you store both files on a secure NTFS share that the account running the script has access to.
You need to lock down access to the share, as having access to the key file will let you read the password file. Don't store the file in the same location as the script.

Then it would be something like this.

$Account = "MyDomain\MyAccount"  
$Key = Get-Content "\\MyServer\MyShare\AES_KEY_FILE.key"  
$Credentials = New-Object System.Management.Automation.PSCredential($Account,(Get-Content "\\MyServer\MyShare\AES_PASSWORD_FILE.txt" | ConvertTo-SecureString -Key $Key))  

Read here for more information on how to create the key and password file.
https://dennisspan.com/encrypting-passwords-in-a-powershell-script

Second (and preferred) option if you are lucky enough to have access to this in Azure is to use something like KeyVault.

https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-powershell

Similar to option 1. You lock down the key vault to the Service Account that will run the script.

Answer 4

On a side note, please don't use domain admins for this.

Create a service account with least privilege to rename computers.

If I remember rightly, by default Account Operators and Domain admins have the Active Directory rights to do this on computer objects.

Account Operators still give far too many permissions for the task at hand though.

So you can delegate just permissions to rename computer accounts.

Two permissions are required. The domain account needs "Rename a Computer Account" permissions for the and you have to have an account that is a member of the local administrators account on the computer being renamed. Create a group with these rights and then create a service account specifically for renaming accounts and add it to this group.