0

I have a long running powershell script. It kicks off at login via GPO, connects to Exchange with the user's current credentials then goes back to sleep. It does this every half hour or so and continues until the user logs out.

The issue occurs if the user changes their password during this time. The next time the script attempts to connect to Exchange it fails. I assume this is because the credentials stored within the powershell session are no longer valid.

Is there a way to refresh/update the scripts's credentials from the O/S?

The only other way I thought to work around this was to restart the script in a new powershell instance, hence grabbing a new set of credentials. This sounds problematic as I believe the context will be passed on to the new session if it's initiated from the running script. Triggering a scheduled task that calls the script may work though I haven't tried it and it seems overly convoluted.

Any thoughts? I don't want to use Get-Credential as that requires a prompt. I also don't want to store a password in a file.

[System.Security.Principal.WindowsIdentity] may provide a way? Not quite sure where to start.

Update: I'm using EWS as per: https://devblogs.microsoft.com/scripting/learn-to-use-the-exchange-web-services-with-powershell/

You can use the credentials stored in the current powershell session as per: $exchService.UseDefaultCredentials = $true

Striker
  • 1
  • 2
  • How are you getting their username and password in the first place? – I.T Delinquent Jul 04 '19 at 10:46
  • Could you not do this as a scheduled task? – The Fish Jul 04 '19 at 12:47
  • AFAIK, there isn't a way to get the credentials of a user's session. I am curious how you are doing that. I agree the credentials are saved on the machine but they are obfuscated to the user. Task Scheduler will also require session refresh, I believe. – Sid Jul 04 '19 at 13:19
  • You can store passwords in a file or the built-in credential manager quite easily: [What is the best way to store account credentials...](https://stackoverflow.com/questions/50917375/what-is-the-best-way-to-store-account-credentials-especially-password-for-an-a/50918111#50918111). With a bit of setup, you could have your script run as a scheduled task under a low-rights account that no-one else can log on with, but which can access the credentials (which are tied securely to _that_ account on _that_ machine).. – boxdog Jul 04 '19 at 14:46
  • @TheFish I may try the scheduled task route, though I was hoping to do it all within Powershell. – Striker Jul 04 '19 at 21:37
  • @I.TDelinquent see Update above – Striker Jul 04 '19 at 21:37
  • @RohinSidharth see update. I don't need to know the users creds, just refresh the stored creds in the current powershell instance, either that or instantiate a new powershell session with the user's new creds. – Striker Jul 04 '19 at 21:40
  • @boxdog I'll take a look at that. Note though that this runs on every workstation, so >3000 users and under their account (triggered on login), not system or any other generic account with admin privilege as it wouldn't have access that particular user's mailbox. – Striker Jul 04 '19 at 21:54

1 Answers1

0

So I didn't work out how to update the stored credentials in a running powershell session... surely it's possible... anyway, here is what I did.

  1. Script runs, connects to Exchange successfully, sleeps
  2. User changes Windows password
  3. Script wakes up, connection to Exchange fails
  4. Trap error via try/catch, create Scheduled task to Run in 5 seconds from now with Schedule.Service COMObject
  5. Quit script
  6. Task fires and relaunches powershell script with the updated credentials. Connection to Exchange succeeds. Script sleeps
  7. Task autodeletes itself via Settings.deleteExpiredTaskAfter = 'PT0S' - which is immediately. You also need to set the .EndBoundary on the trigger

Works fairly neatly but it's a bit of a hack. Love to see a more elegant solution from someone.

Striker
  • 1
  • 2