0

I have followed the following guide to create a SecureString password. Now, I need to log on to a foreign Domain Controller with the dsquery options -s (server) -u (user) and -p (password).

dsquery group -name $group -s $rmSrv -u $user -p $pass  | dsget group -members -expand -c -s $rmSrv -u $user -p $pass  | dsget user -samid -c -s $rmSrv -u $user -p $pass > $filename

When I enter the password in plaintext, I get authenticated. Once using the SecureString object, I can not authenticate. I have tried a few options, but could not get it running.

Do you have ideas?

Peter DeWeese
  • 18,141
  • 8
  • 79
  • 101
JayBe
  • 3
  • 3
  • `dsquery` is a command-line executable. It can't interpret objects, just flat text, so you're going to need to convert your `securestring` to `plaintext` and pass it that way. – Maximilian Burszley Apr 03 '18 at 17:13
  • I suggest reading [this article](https://blogs.technet.microsoft.com/heyscriptingguy/2010/12/02/query-active-directory-without-writing-a-script/) to interact with `AD` using `powershell`. – Maximilian Burszley Apr 03 '18 at 17:17

1 Answers1

1

The only way to do that is to decrypt the SecureString object and get it as a string.

Here is a sample function:

function ConvertTo-String {
  param(
    [Security.SecureString] $secureString
  )
  try {
    $bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString)
    [Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
  }
  finally {
    if ( $bstr -ne [IntPtr]::Zero ) {
      [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)
    }
  }
}

Caution: Decrypting a SecureString object bypasses the protections that SecureString objects provide.

If you insist on using the dsquery command, this is the only option, because it requires a plain-text password on its command line. This is inherently insecure.

Instead, I would recommend to use the Active Directory cmdlets that can use SecureString directly without the need to convert to plain-text.

Bill_Stewart
  • 22,916
  • 4
  • 51
  • 62