Smita, The article is telling you not to use the Group Policy Preferences method because it is stored encoded. It is suggesting a SLAM engagement, or using the MCS solution.
To use PSPasswd, the device must be online and available for you to talk to it. While that might work for small orgs, it does not scale well to orgs with lots of device that aren’t always online. If you use that with a script, you run into the same problem that started the conversation of how to store the password. Nash From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Carneiro, Smita A. Sent: Wednesday, July 23, 2014 10:28 AM To: scripting@lists.myitforum.com Subject: RE: [scripting] PowerShell to store password securely in a script? The issue with the method in the url in the email below is that the password is not encrypted at all, it is stored in clear text and only protected by AD rights. You’re better off looking at the PsPasswd utility from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb897543.aspx Smita From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Nash Pherson Sent: Wednesday, July 23, 2014 10:09 AM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? Daniel, This is certainly coming up a lot recently. People had been using Group Policy Preferences to set it, but that runs into the same problem where the encoded password is available (Ok, it is encrypted, but there is one key used for Active Directory… and I mean everywhere…. Its available on MSDN.). A recent update removed that Group Policy Preferences feature altogether because of its lack of encryption (boy do I wish they would have just introduced real encryption). If you are a Microsoft Premier customer, they can help with securely implementing random local admin passwords that are stored securely. These engagements are usually called SLAM and your Technical Account Manager can help get one going. Not a Premier customer? Well, there other free solutions out there as well. Microsoft Consulting Services came up with one solution that they published which fits most organizations’ needs, large and small. There is a great blog post by Mark Morowczynski which goes over why not to use the Preferences option, what is and how to get a SLAM engagement, and how to use the free MCS solution. Its long, but you’ll sound real smart when talking to your boss about the options: http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx I hope that helps, Nash From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kent McKinney Sent: Tuesday, July 22, 2014 6:56 PM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? Just a suggestion… You can create a scheduled task that runs the PowerShell script with the needed credentials. Ideally it would run from a server, and if it needs to run PowerShell on other systems it can use Invoke-Command, in which case the credentials are not stored on the remote systems in a retrievable way. The action of the task could be something like this… Program: powershell.exe Additional arguments: -NoLogo -NoProfile -MTA -NonInteractive -ExecutionPolicy Bypass -File "D:\Path\Script.ps1" From: Gilmanov, Nile [mailto:nile.gilma...@wabashnational.com] Sent: Tuesday, July 22, 2014 2:29 PM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com>; scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com>; scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? What about cert-based? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff Sent: Tuesday, July 22, 2014 1:40 PM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? Thanks Keith, we may one day replace this custom solution we have with a commercial product, but for now our goal is just to see if PoSH + Compliance is a more successful method than WinBatch + Package deployment. A few other things I plan on looking at is maybe a DSC script or possibly something centrally managed to sync instead of a push method. Thanks for the ideas everyone. Daniel Ratliff From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Keith Garner (Hotmail) Sent: Tuesday, July 22, 2014 1:02 PM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? Client side security is a hard problem. There are no easy answers. At some point you are going to have to convert the secured password to plain text, and you are going to have to put the method to decode that piece of secure information in the powershell script, either the algorithm or the encryption key. One technique is to just obfuscate the secret information with some encoding (not encryption), like Base64. Might be time to take a hard look at your environment and ask yourself why you need to distribute the password in the first place, can you provide access to the resources with better access control, or other lockdown methods? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff Sent: Tuesday, July 22, 2014 8:16 AM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: RE: [scripting] PowerShell to store password securely in a script? But I cannot take that securestring and deploy it to thousands of workstations. Its only valid on the machine/account its created on/with. Daniel Ratliff From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Sent: Tuesday, July 22, 2014 11:09 AM To: scripting@lists.myitforum.com<mailto:scripting@lists.myitforum.com> Subject: Re: [scripting] PowerShell to store password securely in a script? $Test = Read-Host -AsSecureString $Test | ConvertFrom-SecureString | Out-File "c:\test.txt" This will give you the encrypted password. To use that password, you just need to store it to a variable and use COnvertTo-SecureString On Tue, Jul 22, 2014 at 9:55 AM, Daniel Ratliff <dratl...@humana.com<mailto:dratl...@humana.com>> wrote: I feel like I am missing something glaringly obvious here. I have two requirements: 1. Store the password in the script, but not in plain text 2. Use a single script with nothing external Is there no way with PowerShell to store an encrypted password in a script and re-use that on multiple machines? Daniel Ratliff The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
