Getting Credentials From The Command Line

Getting Credentials From The Command Line

  • Comments 12

When you use the Get-Credential cmdlet, you get a GUI dialog box to enter the credentials.  This is the "Common Criteria Certified" way of handling credentials.  It is also a pain in the butt at times.  If you are an admin, you can alter this and request credentials via the command line as follows:

 

PS> $key = "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds"
PS> Set-ItemProperty $key ConsolePrompting True
PS> Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
User: ntdev\jsnover
Password for user ntdev\jsnover: **************


UserName                                                           Password
--------                                                           --------
ntdev\jsnover                                  System.Security.SecureString

 

Enjoy!

 

Jeffrey Snover [MSFT]
Windows Management Partner Architect
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

Leave a Comment
  • Please add 7 and 2 and type the answer here:
  • Post
  • I ended up using this approach for a different reason: because I couldn't find a way to customize what the pop-up dialog says when you use get-credential.

  • On second thought I used something slightly different:

    echo 'Enter the password to log in: '

    $password = read-host -assecurestring

    $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $password

    One advantage here is that it's a little less disruptive to the environment (no registry change).

  • I've been looking for a way to create a credential for the transporter suite using a notes id.  There are no examples that I've been able to find, but the object type that's expected is a PSCredential using a Notes ID.  How would you do this?

  • Interesting. Some time ago, I created a function Get-ConsoleCredential for just this purpose. It is useful for creating a "su" analog among other things. Here's the relevant bit from my profile.

    #starts a new powershell console with specified credentials, similar to su(1) on UNIX

    function Substitute-User( [String] $username="root" )

    {

    if( $username -eq $null )

    {

    #look up the built-in Administrator account using WMI.

    #the built-in administrator has a SID that starts with S-1-5 and ends with -500.

    $accts = get-wmiobject win32_useraccount

    foreach( $acct in $accts )

    {

    if( $acct.SID -match '^S-1-5-.+-500$' )

    {

    $username = $acct.Caption

    break

    }

    }

    }

    $credential = Get-ConsoleCredential( $username )

    $startinfo = new-object Diagnostics.ProcessStartInfo

    $startinfo.UseShellExecute = $false

    $startinfo.FileName = "$pshome\powershell.exe"

    $startinfo.UserName = $credential.UserName

    $startinfo.Password = $credential.Password

    $startinfo.WorkingDirectory = $pwd

    trap [ComponentModel.Win32Exception]

    {

    if( $_.Exception.NativeErrorCode -eq 267 )

    {

    write-host "$pwd is an invalid directory for $username."

    write-host "Starting PowerShell in ${env:SystemRoot}\system32."

    $startinfo.WorkingDirectory = "${env:SystemRoot}\system32"

    $null = [Diagnostics.Process]::Start( $startinfo )

    }

    else

    {

    $_.Exception.Message

    }

    continue

    }

    $null = [Diagnostics.Process]::Start( $startinfo )

    }

    #Generate a PSCredential object without creating a pop-up security dialog like

    #the built-in get-credential cmdlet.

    function Get-ConsoleCredential( [String] $username=$( read-host 'Username' ) )

    {

    while( !($username) )

    {

    $username = read-host 'Username'

    }

    $passwd = read-host -asSecureString 'Password'

    new-object Management.Automation.PSCredential $username, $passwd

    }

    # alias functions

    new-alias cred Get-ConsoleCredential

    new-alias su Substitute-User

  • Whoops. I just realized that the Substitute-User function was hard-coded to default to a specific user account and didn't look up the local administrator account correctly. Here's the correction:

    #starts a new powershell console with specified credentials, similar to su(1) on UNIX

    function Substitute-User( [String] $username )

    {

    if( !$username )

    {

    #look up the built-in Administrator account using WMI.

    #the built-in administrator has a SID that starts with S-1-5 and ends with -500.

    $accts = get-wmiobject win32_useraccount

    foreach( $acct in $accts )

    {

    if( $acct.SID -match '^S-1-5-.+-500$' )

    {

    $username = $acct.Caption

    if( $username -match "[^\\]+$" )

    {

    $username = $matches[0]

    }

    break

    }

    }

    }

    $credential = Get-ConsoleCredential( $username )

    $startinfo = new-object Diagnostics.ProcessStartInfo

    $startinfo.UseShellExecute = $false

    $startinfo.FileName = "$pshome\powershell.exe"

    $startinfo.UserName = $credential.UserName

    $startinfo.Password = $credential.Password

    $startinfo.WorkingDirectory = $pwd

    trap [ComponentModel.Win32Exception]

    {

    if( $_.Exception.NativeErrorCode -eq 267 )

    {

    write-host "$pwd is an invalid directory for $username."

    write-host "Starting PowerShell in ${env:SystemRoot}\system32."

    $startinfo.WorkingDirectory = "${env:SystemRoot}\system32"

    $null = [Diagnostics.Process]::Start( $startinfo )

    }

    else

    {

    $_.Exception.Message

    }

    continue

    }

    $null = [Diagnostics.Process]::Start( $startinfo )

    }

    #Generate a PSCredential object without creating a pop-up security dialog like

    #the built-in get-credential cmdlet.

    function Get-ConsoleCredential( [String] $username=$( read-host 'Username' ) )

    {

    while( !($username) )

    {

    $username = read-host 'Username'

    }

    $passwd = read-host -asSecureString 'Password'

    new-object Management.Automation.PSCredential $username, $passwd

    }

  • why don't no add a parameter to get-credential in V2 so you can do this without a registry hack. Additional i presume this is the default behaviour in PS remoting?

  • Can I still do the following to expose the password in clear text?

    $cred = get-credential Admin

    $cred.GetNetworkCredential()

    We bugged this ages ago, but haven't seen a response - it'd be nice to know it's fixed in v2...

  • By the way, this DOES NOT seem to work in Graphical Windows PowerShell V2 (CTP2). It always brings up the GUI dialog.

    Jim

  • Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development

  • @Sean - There are examples in the comments of instantiating a PSCredential from scratch. See if they help.

    @Karl - This is not meant to be a configuration option that the script decides. If it were, then the administrator is no longer in control of their Common Criteria compliance.

    @Dave - We're considering changing the default _formatting_ to not display the password by default, so that you don't accidentally display the password. Having access to the password is not a problem, as the GetNetworkCredential() method is designed explicitly to support the many .NET APIs that require a NetworkCredential object.

    --

    Lee Holmes [MSFT]

    Windows PowerShell Development

    Microsoft Corporation

  • Hi,

     Is it possible to execute a block (of commandlets) with a different user context. I have the user id and pwd of the privileged user but need to run just a particular block with those credentials. The script is launched with the NETWORK SERVICE.

    Thanks.

  • Forgot about posting the question here about getting a Notes ID.  After some trial and error I eventually had figured this out.  The following example will successfully allow the passing of a notes credential to the various Transporter Suite cmdlets without being prompted for the notes credentials:

    To get and store the credential for the current user:

    $notespw = Read-Host "Enter the password for the Notes ID file" -AsSecureString

    $notespw | ConvertFrom-SecureString | Set-Content $pwfile -force

    To retrieve the password and create the PSCredential object:

    $notespw = get-content $pwfile | ConvertTo-SecureString

    $notesid = new-object -typename system.management.automation.pscredential -argumentlist "-default-",$notespw

    Example of use:

    Get-DominoMailbox mary@contoso.com -SourceCredential $notesid

Page 1 of 1 (12 items)