Just a suggestion…
You can create a scheduled task that runs the PowerShell script with the needed credentials. Ideally it would run from a server, and if it needs to run PowerShell on other systems it can use Invoke-Command, in which case the credentials are not stored on the remote systems in a retrievable way. The action of the task could be something like this… Program: powershell.exe Additional arguments: -NoLogo -NoProfile -MTA -NonInteractive -ExecutionPolicy Bypass -File "D:\Path\Script.ps1" From: Gilmanov, Nile [mailto:nile.gilma...@wabashnational.com] Sent: Tuesday, July 22, 2014 2:29 PM To: scripting@lists.myitforum.com; scripting@lists.myitforum.com; scripting@lists.myitforum.com Subject: RE: [scripting] PowerShell to store password securely in a script? What about cert-based? From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff Sent: Tuesday, July 22, 2014 1:40 PM To: scripting@lists.myitforum.com <mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? Thanks Keith, we may one day replace this custom solution we have with a commercial product, but for now our goal is just to see if PoSH + Compliance is a more successful method than WinBatch + Package deployment. A few other things I plan on looking at is maybe a DSC script or possibly something centrally managed to sync instead of a push method. Thanks for the ideas everyone. Daniel Ratliff From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Keith Garner (Hotmail) Sent: Tuesday, July 22, 2014 1:02 PM To: scripting@lists.myitforum.com <mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? Client side security is a hard problem. There are no easy answers. At some point you are going to have to convert the secured password to plain text, and you are going to have to put the method to decode that piece of secure information in the powershell script, either the algorithm or the encryption key. One technique is to just obfuscate the secret information with some encoding (not encryption), like Base64. Might be time to take a hard look at your environment and ask yourself why you need to distribute the password in the first place, can you provide access to the resources with better access control, or other lockdown methods? From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff Sent: Tuesday, July 22, 2014 8:16 AM To: scripting@lists.myitforum.com <mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? But I cannot take that securestring and deploy it to thousands of workstations. Its only valid on the machine/account its created on/with. Daniel Ratliff From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Sent: Tuesday, July 22, 2014 11:09 AM To: scripting@lists.myitforum.com <mailto:scripting@lists.myitforum.com> Subject: Re: [scripting] PowerShell to store password securely in a script? $Test = Read-Host -AsSecureString $Test | ConvertFrom-SecureString | Out-File "c:\test.txt" This will give you the encrypted password. To use that password, you just need to store it to a variable and use COnvertTo-SecureString On Tue, Jul 22, 2014 at 9:55 AM, Daniel Ratliff <dratl...@humana.com <mailto:dratl...@humana.com> > wrote: I feel like I am missing something glaringly obvious here. I have two requirements: 1. Store the password in the script, but not in plain text 2. Use a single script with nothing external Is there no way with PowerShell to store an encrypted password in a script and re-use that on multiple machines? Daniel Ratliff The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
