Getting Credentials From The Command Line

re: Getting Credentials From The Command Line

Carter Shanklin — Sat, 21 Jun 2008 03:30:10 GMT

I ended up using this approach for a different reason: because I couldn't find a way to customize what the pop-up dialog says when you use get-credential.

re: Getting Credentials From The Command Line

Carter Shanklin — Sat, 21 Jun 2008 03:50:14 GMT

On second thought I used something slightly different:

echo 'Enter the password to log in: '

$password = read-host -assecurestring

$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $password

One advantage here is that it's a little less disruptive to the environment (no registry change).

re: Getting Credentials From The Command Line

Sean — Sat, 21 Jun 2008 04:31:45 GMT

I've been looking for a way to create a credential for the transporter suite using a notes id. There are no examples that I've been able to find, but the object type that's expected is a PSCredential using a Notes ID. How would you do this?

re: Getting Credentials From The Command Line

Brian Reiter — Sat, 21 Jun 2008 07:04:52 GMT

Interesting. Some time ago, I created a function Get-ConsoleCredential for just this purpose. It is useful for creating a "su" analog among other things. Here's the relevant bit from my profile.

#starts a new powershell console with specified credentials, similar to su(1) on UNIX

function Substitute-User( [String] $username="root" )

{

if( $username -eq $null )

{

#look up the built-in Administrator account using WMI.

#the built-in administrator has a SID that starts with S-1-5 and ends with -500.

$accts = get-wmiobject win32_useraccount

foreach( $acct in $accts )

{

if( $acct.SID -match '^S-1-5-.+-500$' )

{

$username = $acct.Caption

break

}

$credential = Get-ConsoleCredential( $username )

$startinfo = new-object Diagnostics.ProcessStartInfo

$startinfo.UseShellExecute = $false

$startinfo.FileName = "$pshome\powershell.exe"

$startinfo.UserName = $credential.UserName

$startinfo.Password = $credential.Password

$startinfo.WorkingDirectory = $pwd

trap [ComponentModel.Win32Exception]

{

if( $_.Exception.NativeErrorCode -eq 267 )

{

write-host "$pwd is an invalid directory for $username."

write-host "Starting PowerShell in ${env:SystemRoot}\system32."

$startinfo.WorkingDirectory = "${env:SystemRoot}\system32"

$null = [Diagnostics.Process]::Start( $startinfo )

}

else

{

$_.Exception.Message

}

continue

}

$null = [Diagnostics.Process]::Start( $startinfo )

}

#Generate a PSCredential object without creating a pop-up security dialog like

#the built-in get-credential cmdlet.

function Get-ConsoleCredential( [String] $username=$( read-host 'Username' ) )

{

while( !($username) )

{

$username = read-host 'Username'

}

$passwd = read-host -asSecureString 'Password'

new-object Management.Automation.PSCredential $username, $passwd

}

# alias functions

new-alias cred Get-ConsoleCredential

new-alias su Substitute-User

re: Getting Credentials From The Command Line

Bran Reiter — Sat, 21 Jun 2008 07:23:48 GMT

Whoops. I just realized that the Substitute-User function was hard-coded to default to a specific user account and didn't look up the local administrator account correctly. Here's the correction:

#starts a new powershell console with specified credentials, similar to su(1) on UNIX

function Substitute-User( [String] $username )

{

if( !$username )

{

#look up the built-in Administrator account using WMI.

#the built-in administrator has a SID that starts with S-1-5 and ends with -500.

$accts = get-wmiobject win32_useraccount

foreach( $acct in $accts )

{

if( $acct.SID -match '^S-1-5-.+-500$' )

{

$username = $acct.Caption

if( $username -match "[^\\]+$" )

{

$username = $matches[0]

}

break

}

$credential = Get-ConsoleCredential( $username )

$startinfo = new-object Diagnostics.ProcessStartInfo

$startinfo.UseShellExecute = $false

$startinfo.FileName = "$pshome\powershell.exe"

$startinfo.UserName = $credential.UserName

$startinfo.Password = $credential.Password

$startinfo.WorkingDirectory = $pwd

trap [ComponentModel.Win32Exception]

{

if( $_.Exception.NativeErrorCode -eq 267 )

{

write-host "$pwd is an invalid directory for $username."

write-host "Starting PowerShell in ${env:SystemRoot}\system32."

$startinfo.WorkingDirectory = "${env:SystemRoot}\system32"

$null = [Diagnostics.Process]::Start( $startinfo )

}

else

{

$_.Exception.Message

}

continue

}

$null = [Diagnostics.Process]::Start( $startinfo )

}

#Generate a PSCredential object without creating a pop-up security dialog like

#the built-in get-credential cmdlet.

function Get-ConsoleCredential( [String] $username=$( read-host 'Username' ) )

{

while( !($username) )

{

$username = read-host 'Username'

}

$passwd = read-host -asSecureString 'Password'

new-object Management.Automation.PSCredential $username, $passwd

}

re: Getting Credentials From The Command Line

Karl Prosser — Sun, 22 Jun 2008 08:53:27 GMT

why don't no add a parameter to get-credential in V2 so you can do this without a registry hack. Additional i presume this is the default behaviour in PS remoting?

re: Getting Credentials From The Command Line

Dave Saxon — Mon, 23 Jun 2008 16:53:58 GMT

Can I still do the following to expose the password in clear text?

$cred = get-credential Admin

$cred.GetNetworkCredential()

We bugged this ages ago, but haven't seen a response - it'd be nice to know it's fixed in v2...

re: Getting Credentials From The Command Line

Jim Foster — Mon, 23 Jun 2008 20:24:09 GMT

By the way, this DOES NOT seem to work in Graphical Windows PowerShell V2 (CTP2). It always brings up the GUI dialog.

Jim

Interesting Links – 6/24/2008

Matt Johnson's Technical Adventures — Tue, 24 Jun 2008 17:17:34 GMT

Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development

re: Getting Credentials From The Command Line

PowerShellTeam — Tue, 24 Jun 2008 21:50:01 GMT

@Sean - There are examples in the comments of instantiating a PSCredential from scratch. See if they help.

@Karl - This is not meant to be a configuration option that the script decides. If it were, then the administrator is no longer in control of their Common Criteria compliance.

@Dave - We're considering changing the default _formatting_ to not display the password by default, so that you don't accidentally display the password. Having access to the password is not a problem, as the GetNetworkCredential() method is designed explicitly to support the many .NET APIs that require a NetworkCredential object.

Lee Holmes [MSFT]

Windows PowerShell Development

Microsoft Corporation

re: Getting Credentials From The Command Line

Kris — Sat, 19 Jul 2008 02:16:58 GMT

Hi,

Is it possible to execute a block (of commandlets) with a different user context. I have the user id and pwd of the privileged user but need to run just a particular block with those credentials. The script is launched with the NETWORK SERVICE.

Thanks.

Notes Credential

Sean — Tue, 07 Oct 2008 00:49:45 GMT

Forgot about posting the question here about getting a Notes ID. After some trial and error I eventually had figured this out. The following example will successfully allow the passing of a notes credential to the various Transporter Suite cmdlets without being prompted for the notes credentials:

To get and store the credential for the current user:

$notespw = Read-Host "Enter the password for the Notes ID file" -AsSecureString

$notespw | ConvertFrom-SecureString | Set-Content $pwfile -force

To retrieve the password and create the PSCredential object:

$notespw = get-content $pwfile | ConvertTo-SecureString

$notesid = new-object -typename system.management.automation.pscredential -argumentlist "-default-",$notespw

Example of use:

Get-DominoMailbox mary@contoso.com -SourceCredential $notesid