How to manage passwords in PowerShell scripts? Part 2

Problem statement

We want to run a PowerShell script on all the organizations machines to update certain settings, or install/uninstall certain software.

In current Covid situation, everyone is working from home,  you need to connect with each employee machine remotely. 

Now the problem with remote connection is that we control PowerShell if it is running using administrator account.

And we cannot share machine admin id and password with employee.

Solution Summery

1. Create a key and encrypted password file - using utility KeyAndPasswordGenerator.ps1

2. Create a PowerShell script to do required operation on the machines lets name it Task.ps1

3. Create a PowerShell script to start new PowerShell service with Admin id and password and pass the Task.ps1. Lets name this utility as Starter.ps1

4. Now copy all assets on target machine in a folder

   1. Key file

   2. Password file

   3. Task.ps1

   4. Starter.ps1

5. Now run the Starter.ps1 with employee PowerShell service instance

6. Once Starter.ps1 finish execution then delete all the assets from the employee machine

Utility to generate key and encrypted password file - KeyAndPasswordGenerator.ps1

Copy following code in notepad or PowerShell ISE and to save it as KeyAndPasswordGenerator.ps1

$keyFilePath = “key.txt” #Line 1

$passwordFilePath = “password.txt” #Line 2

$key = New-Object Byte[] 32 #Line 3

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($key) #Line 4

Set-Content $keyFilePath $key #Line 5

$PSCredentialObject = Get-Credential #Line 6

$password = $PSCredentialObject.password | ConvertFrom-SecureString -Key $key #Line 7

Set-Content $passwordFilePath $password #Line 8

Set first two variables with key and password file path.

Third, fourth and fifth line is to generate key and to store it in key.txt file.

In line 6  Get-Credential command will open a popup to feed in user id and password, in Azure shell or in Machintosh PowerShell user need to directly type password in at command prompt. 

In line 7 and 8 we are using piping to convert password into secure string i.e encrypting password then storing it in password.txt file.

Note :  This utility you have to use only once to generate key and password files. This utility will not be part of package which we will copy on machines where we want to run Task.ps1

Create Task.ps1

To understand concept lets create Task.ps1 with following script, but in real situation this is the file which will contain actual action script. This script file we will run using elevated privileges

echo "Powershell executed as admin!"

Add-Content "outputFromAdminScript.txt" "Hello"

Start-Sleep -s 100

Very simple script, it will create a file outputFromAdminScript.txt with the content "Hello"

I have used Start-Sleep commandlet to stop immediate closing of the PowerShell window.

Starter.ps1

This utility is to run our Task.ps1 with elevated permissions. 

Copy following code in notepad or PowerShell ISE and to save it as KeyAndPasswordGenerator.ps1

$keyFilePath = “key.txt”

$passwordFilePath = “password.txt”

$adminID="diwakar"

$key = Get-Content -Path $keyFilePath 

$pwd = Get-Content -Path $credentialFilePath

$password = $pwd | ConvertTo-SecureString -Key $key

$adminCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $adminID, $password

$Exitcode = (Start-Process powershell -Credential $adminCredential -ArgumentList "-ExecutionPolicy ByPass -file C:\Users\t_diwakar.jadhav\Documents\PasswordTest\test.ps1 " -Wait -PassThru).ExitCode

if ($Exitcode = '0')

{

    Write-Host "SUCCESS"

}

else

{

    Write-Host "FAILURE"

}

Now follow step 4 to 6 from Solution Summery, as per your requirement.