Welcome to MSDN Blogs Sign in | Join | Help

Getting Credentials From The Command Line

When you use the Get-Credential cmdlet, you get a GUI dialog box to enter the credentials.  This is the "Common Criteria Certified" way of handling credentials.  It is also a pain in the butt at times.  If you are an admin, you can alter this and request credentials via the command line as follows:

 

PS> $key = "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds"
PS> Set-ItemProperty $key ConsolePrompting True
PS> Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
User: ntdev\jsnover
Password for user ntdev\jsnover: **************


UserName                                                           Password
--------                                                           --------
ntdev\jsnover                                  System.Security.SecureString

 

Enjoy!

 

Jeffrey Snover [MSFT]
Windows Management Partner Architect
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx
Published Friday, June 20, 2008 10:09 PM by PowerShellTeam
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Getting Credentials From The Command Line

I ended up using this approach for a different reason: because I couldn't find a way to customize what the pop-up dialog says when you use get-credential.

Friday, June 20, 2008 8:30 PM by Carter Shanklin

# re: Getting Credentials From The Command Line

On second thought I used something slightly different:

echo 'Enter the password to log in: '

$password = read-host -assecurestring

$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $password

One advantage here is that it's a little less disruptive to the environment (no registry change).

Friday, June 20, 2008 8:50 PM by Carter Shanklin

# re: Getting Credentials From The Command Line

I've been looking for a way to create a credential for the transporter suite using a notes id.  There are no examples that I've been able to find, but the object type that's expected is a PSCredential using a Notes ID.  How would you do this?

Friday, June 20, 2008 9:31 PM by Sean

# re: Getting Credentials From The Command Line

Interesting. Some time ago, I created a function Get-ConsoleCredential for just this purpose. It is useful for creating a "su" analog among other things. Here's the relevant bit from my profile.

#starts a new powershell console with specified credentials, similar to su(1) on UNIX

function Substitute-User( [String] $username="root" )

{

if( $username -eq $null )

{

#look up the built-in Administrator account using WMI.

#the built-in administrator has a SID that starts with S-1-5 and ends with -500.

$accts = get-wmiobject win32_useraccount

foreach( $acct in $accts )

{

if( $acct.SID -match '^S-1-5-.+-500$' )

{

$username = $acct.Caption

break

}

}

}

$credential = Get-ConsoleCredential( $username )

$startinfo = new-object Diagnostics.ProcessStartInfo

$startinfo.UseShellExecute = $false

$startinfo.FileName = "$pshome\powershell.exe"

$startinfo.UserName = $credential.UserName

$startinfo.Password = $credential.Password

$startinfo.WorkingDirectory = $pwd

trap [ComponentModel.Win32Exception]

{

if( $_.Exception.NativeErrorCode -eq 267 )

{

write-host "$pwd is an invalid directory for $username."

write-host "Starting PowerShell in ${env:SystemRoot}\system32."

$startinfo.WorkingDirectory = "${env:SystemRoot}\system32"

$null = [Diagnostics.Process]::Start( $startinfo )

}

else

{

$_.Exception.Message

}

continue

}

$null = [Diagnostics.Process]::Start( $startinfo )

}

#Generate a PSCredential object without creating a pop-up security dialog like

#the built-in get-credential cmdlet.

function Get-ConsoleCredential( [String] $username=$( read-host 'Username' ) )

{

while( !($username) )

{

$username = read-host 'Username'

}

$passwd = read-host -asSecureString 'Password'

new-object Management.Automation.PSCredential $username, $passwd

}

# alias functions

new-alias cred Get-ConsoleCredential

new-alias su Substitute-User

Saturday, June 21, 2008 12:04 AM by Brian Reiter

# re: Getting Credentials From The Command Line

Whoops. I just realized that the Substitute-User function was hard-coded to default to a specific user account and didn't look up the local administrator account correctly. Here's the correction:

#starts a new powershell console with specified credentials, similar to su(1) on UNIX

function Substitute-User( [String] $username )

{

if( !$username )

{

#look up the built-in Administrator account using WMI.

#the built-in administrator has a SID that starts with S-1-5 and ends with -500.

$accts = get-wmiobject win32_useraccount

foreach( $acct in $accts )

{

if( $acct.SID -match '^S-1-5-.+-500$' )

{

$username = $acct.Caption

if( $username -match "[^\\]+$" )

{

$username = $matches[0]

}

break

}

}

}

$credential = Get-ConsoleCredential( $username )

$startinfo = new-object Diagnostics.ProcessStartInfo

$startinfo.UseShellExecute = $false

$startinfo.FileName = "$pshome\powershell.exe"

$startinfo.UserName = $credential.UserName

$startinfo.Password = $credential.Password

$startinfo.WorkingDirectory = $pwd

trap [ComponentModel.Win32Exception]

{

if( $_.Exception.NativeErrorCode -eq 267 )

{

write-host "$pwd is an invalid directory for $username."

write-host "Starting PowerShell in ${env:SystemRoot}\system32."

$startinfo.WorkingDirectory = "${env:SystemRoot}\system32"

$null = [Diagnostics.Process]::Start( $startinfo )

}

else

{

$_.Exception.Message

}

continue

}

$null = [Diagnostics.Process]::Start( $startinfo )

}

#Generate a PSCredential object without creating a pop-up security dialog like

#the built-in get-credential cmdlet.

function Get-ConsoleCredential( [String] $username=$( read-host 'Username' ) )

{

while( !($username) )

{

$username = read-host 'Username'

}

$passwd = read-host -asSecureString 'Password'

new-object Management.Automation.PSCredential $username, $passwd

}

Saturday, June 21, 2008 12:23 AM by Bran Reiter

# re: Getting Credentials From The Command Line

why don't no add a parameter to get-credential in V2 so you can do this without a registry hack. Additional i presume this is the default behaviour in PS remoting?

Sunday, June 22, 2008 1:53 AM by Karl Prosser

# re: Getting Credentials From The Command Line

Can I still do the following to expose the password in clear text?

$cred = get-credential Admin

$cred.GetNetworkCredential()

We bugged this ages ago, but haven't seen a response - it'd be nice to know it's fixed in v2...

Monday, June 23, 2008 9:53 AM by Dave Saxon

# re: Getting Credentials From The Command Line

By the way, this DOES NOT seem to work in Graphical Windows PowerShell V2 (CTP2). It always brings up the GUI dialog.

Jim

Monday, June 23, 2008 1:24 PM by Jim Foster

# Interesting Links – 6/24/2008

Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development

Tuesday, June 24, 2008 10:17 AM by Matt Johnson's Technical Adventures

# re: Getting Credentials From The Command Line

@Sean - There are examples in the comments of instantiating a PSCredential from scratch. See if they help.

@Karl - This is not meant to be a configuration option that the script decides. If it were, then the administrator is no longer in control of their Common Criteria compliance.

@Dave - We're considering changing the default _formatting_ to not display the password by default, so that you don't accidentally display the password. Having access to the password is not a problem, as the GetNetworkCredential() method is designed explicitly to support the many .NET APIs that require a NetworkCredential object.

--

Lee Holmes [MSFT]

Windows PowerShell Development

Microsoft Corporation

Tuesday, June 24, 2008 2:50 PM by PowerShellTeam

# re: Getting Credentials From The Command Line

Hi,

 Is it possible to execute a block (of commandlets) with a different user context. I have the user id and pwd of the privileged user but need to run just a particular block with those credentials. The script is launched with the NETWORK SERVICE.

Thanks.

Friday, July 18, 2008 7:16 PM by Kris

# Notes Credential

Forgot about posting the question here about getting a Notes ID.  After some trial and error I eventually had figured this out.  The following example will successfully allow the passing of a notes credential to the various Transporter Suite cmdlets without being prompted for the notes credentials:

To get and store the credential for the current user:

$notespw = Read-Host "Enter the password for the Notes ID file" -AsSecureString

$notespw | ConvertFrom-SecureString | Set-Content $pwfile -force

To retrieve the password and create the PSCredential object:

$notespw = get-content $pwfile | ConvertTo-SecureString

$notesid = new-object -typename system.management.automation.pscredential -argumentlist "-default-",$notespw

Example of use:

Get-DominoMailbox mary@contoso.com -SourceCredential $notesid

Monday, October 06, 2008 5:49 PM by Sean

Leave a Comment

(required) 
required 
(required) 
 
Page view tracker