2

I'm making a "shortcut" PS1 script to update a domain user's password. I'd like to prompt the user for the new password twice without showing the password on screen. When I use $Text1=Read-Host ; $Text2=Read-Host ; $Text1 -eq $Text2 with the same input - '1' for example - the output of that one-liner is "True". However, 

$Text1=Read-Host -AsSecureString ; $Text2=Read-Host -AsSecureString ; $Text1 -eq $Text2

and

$Text1=Read-Host -AsSecureString ; $Text2=Read-Host -AsSecureString ; (ConvertFrom-SecureString $Text1) -eq (ConvertFrom-SecureString $Text2)

return False.

The script as it is now, without prompting twice and comparing user inputs, is below and it works to reset a user's password.

$UserName = Read-Host "User name "
$NewPass = Read-Host -AsSecureString
Set-ADAccountPassword `
    -NewPassword $NewPass `
    -Verbose `
    -Identity ( (Get-ADUser -Filter "SamAccountName -like '$UserName'").DistinguishedName )
$NewPass.Dispose()

Working PS1 script to reset domain user's password

user38537
  • 293
  • 3
  • 15

1 Answers1

2

According to Technet, you have to "decrypt" the secureString with the following method:

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($text1)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

First, this converts the secure string to "Basic String" data type (BSTR), and from that back to a readable string. This will give you the plain text password the user entered. You could for example put this in a small function that you can call for both passwords like this:

 function Decrypt-Password ($secureString){
   $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString)
   $PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
   return $PlainPassword
  }

$Text1=Read-Host -AsSecureString
$Text2=Read-Host -AsSecureString    
(Decrypt-Password -secureString $text1) -eq (Decrypt-Password -secureString $text2)

This will work like expected.

You could also create a function that will directly compare two given SecureStrings, but I will leave the exact implementation up to you.

Community
  • 1
Tobias
  • 1,236
  • 1
  • 13
  • 25