Creation of a script to remove only Generic Credentials on restart

Question

I have an issue whereby our users are having their AD accounts locked out due to stored Generic Credentials (GC's). Issue is resolved by removing the GC's but they will return when the users log in to a new machine.

I can find heaps of information around removing all stored credentials except the GC's but this is the reverse of what I need and the other credentials must remain intact.

I have generated a batch file but it will only remove the "basic" CG's that do not have any special characters. I suspect the command cmdkey /delete cannot deal with the complex names. i.e, LegacyGeneric:target=Microsoft_OC1:uri=Joe.Bloggs@example.com.au:certificate:OCS:1

The Batch File,

cmdkey.exe /list > "%TEMP%\List.txt"
findstr.exe LegacyGeneric "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt"
FOR /F "tokens=1,2 delims= " %a IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%b
del "%TEMP%\List.txt" /s /f /q
del "%TEMP%\tokensonly.txt" /s /f /q

I will also have issues getting a batch file around our Application White Listing when it goes live in 2 weeks. So a PowerShell Script would be better but I'm open to other languages.

I am sure there must be a script capable of processing this request but I have hit a knowledge wall.

Any help will be appreciated.

Cheers, Tim

I've never tried , but in how about `cmdkey /list | where {$_ -match 'LegacyGeneric'} | foreach { cmdkey /delete "$($_.split()[-1])" }` in PowerShell? — TessellatingHeckler, Aug 04 '16 at 03:31
This worked great from my machine, thanks. I will now have to test at user level pushed from the server. — Tim Seddon-Brown, Aug 04 '16 at 04:26

score 0 · Answer 1 · answered Dec 05 '18 at 10:38

0

Hope this helps!It will delete windows generic credential by powershell

$key_dat =@((cmdkey /listall | Where-Object{$_ -like "*LegacyGeneric*"}).replace("Target: ",""))
for($k =0; $k -le ($key_dat.Count -1); $k++)
{
[string]$dele_data =$key_dat[$k].trim()
cmdkey /delete:$dele_data
}

answered Dec 05 '18 at 10:38

Aameer

221
2
4

The syntax : cmdkey /delete:targetname does not work when you attempt to delete all the entries. – Clint May 22 '19 at 06:55

Stefan X. · Answer 2 · 2021-12-30T17:01:16.493

the script works for me combining the threads above. I especially had to delete old OUTLOOK entries and succeed running this script in user context. Please bare in mind that EXECUTION POLICY has to be set in another administrative script since this runs in user context.

$key_dat = @((cmdkey /listall | Where-Object{$_ -like "*LegacyGeneric:target=MS.Outlook*"}).replace("Target: ",""))
for($k =0; $k -le ($key_dat.Count -1); $k++)
{
[string]$dele_data =$key_dat[$k].split()[-1]
cmdkey /delete:$dele_data
}

Creation of a script to remove only Generic Credentials on restart

2 Answers2