Powershell Remoting with credential

Question

While running remoting commands like Enable-PsSession, Invoke-command etc. we need to provide credentials with those commands.

I don't want to provide the credentials every time while executing these command.

Also lets say I stored the username in variable & using the variable while executing the command. I want to do this for the password as well. Could I do that ?

Eg:

Invoke-Command -ComputerName mycomputer -ScriptBlock { Get-ChildItem C:\ } -credential  mydomain\administrator

So here I am providing the password everytime while executing these command.

How should the commands take username & password automatically either from variable & some other mechanism ?

Answer 1

You can do:

$cred = get-credential #fill you credential in the pop-up window

and then:

Invoke-Command -ComputerName mycomputer -ScriptBlock { Get-ChildItem C:\ } -credential $cred

Remember that the password in $cred is easily recoverable in clear text!

Answer 2

Encrypt everything. Create an object calling the decrypted info as the password. Use it like that:

read-host -assecurestring | convertfrom-securestring | out-file C:\localdrivespace\username-password-encrypted.txt
$username = "domain\username"
$password = cat C:\localdrivespace\username-password-encrypted.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Answer 3

Powershell will default to the credentials of the user running the powershell session, if none are specified explicitly.

So if you run Powershell as a user with administrative privileges on the remote machine, you don't have to enter credentials when running the commands.

What you can do is you can create a scheduled task with stored credentials for a service account, and allow users (or just yourself) access to run the task.

http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/12/use-scheduled-tasks-to-run-powershell-commands-on-windows.aspx

Or you can store credentials in the Windows credential manager, which means they're encrypted using your Windows user.

https://gist.github.com/toburger/2947424

However with the credential manager solution, any user able to run scripts in your context will be able to extract the password in clear text.

This isn't a problem though, if you only use this for yourself, or if every admin running the scripts does so from his own user context.

Answer 4

Any automated script requiring a password is flawed. Comments in the other answers show how easy it is to reverse a secure string.

• Create a credentials variable: $cred = get-credential mydomain\me
• Store the credentials in an xml export file: $cred | export-clixml credfile.xml
• Obscure the file; add hidden attributes etc
• Load the credentials when needed: $cred=import-xmlcli \hidden\credfile.xml
• Execute the command requiring credentials: enter-pssession -computername server -credential $cred

This is what I do.

Answer 5

If you try to delegate credentials but still have permission deny on some of your actions in your script, you might need to setup client and server machine with specific setup. Hence on an admin powershell prompt on both machines:

Get-WSManCredSSP

Read the output the on client machine which :

Enable-WSManCredSSP -Role Client -DelegateComputer *.domain.com

then on the server machine (which execute to script):

Enable-WSManCredSSP -Role Server

Then check again:

Get-WSManCredSSP