I am trying to create a shortcut that would take credentials from the credential manager, like so
cd C:\code\Kodex-1.4.3\EPD_Prerequisite\Anaconda2\
$line1 = "cd C:\Code\EPMD\Kodex-1.4.4\Applications\Bin\EpmdTaskManager"
$line2 = "start EpmdTaskManagerGui.exe hide"
$line1 | out-file auto1.bat -Encoding Ascii
$line2 | Out-File -append auto1.bat -Encoding Ascii
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("C:\Users\matanv.HOBART\Desktop\Kodex 1.4.4.lnk")
$Shortcut.TargetPath = """C:\WINDOWS\system32\runas.exe"""
$argA = "/user:%computername%\Admin /savecred"
$argB = """C:\code\Kodex-1.4.3\EPD_Prerequisite\Anaconda2\auto.bat"""
$Shortcut.Arguments = $argA + " " + $argB
$Shortcut.Save()
This works fine, with one problem: The first time I run the script, I get promted for password.
I want to never get prompted for password, and to store it in the credential manager using some (maybe other) script.
How can it be done?
Thanks
Moving from comment to here for OP
Here's the thing to keep in mind with this savecred thing. It's really dangerous, depending on where you are using it. Once you do it, like you've noted, AL you have to do is pass the account name and never get prompted, which means, anyone with even the simplest of skills, could walk up to and take over this machine, even if you delete the shortcut that started it, those creds are always live, and once can create any shortcut, set the properties, and they are off to the races.
Hence, though savecred is really convenient, it should be limited to only machines in absolute control of the person using it. For Example.
Anyway, you an get creds into CredMan, without using RunAs /SaveCred, yes, even with PowerShell. The a many scripts online to show you how, even ones directly from the TechNet Powershell Gallery, and the MS powershellgallery.com.
How to add credentials to the Windows Vault (PowerShell)
This PowerShell script shows how add credentials for specific users.
Download : addwindowsCredential.zip
CredentialManager 2.0
From powershellgallery.com, via your PowerShell session.
Find-Module -Name '*credentialmanager*' | Format-Table -AutoSize
Version Name Repository Description
------- ---- ---------- -----------
2.0 CredentialManager PSGallery Provides access to credentials in the Windows Credential Manager
1.1.1.0 IntelliTect.CredentialManager PSGallery Provides an easy-to-use interface to the Windows Credential Manager via PowerShell.
1.0.9 pscredentialmanager PSGallery This module allows management and automation of Windows cached credentials.
1.0.0.0 BAMCIS.CredentialManager PSGallery Provides a PowerShell wrapper around the Windows Credential Manager Win32 APIs.
See also:
Manipulate credentials in the Windows 8/2012 PasswordVault using Powershell
This module demonstrates how to use the new Windows 8/2012
PasswordVault API from Powershell.
Download : PasswordVault.psm1
You can also do this with the built-in cmdkey.exe
Creates, lists, and deletes stored user names and passwords or
credentials.
But you would need to run in the user context to do this, and that is what MS SysInternals PSExec can provide. Just create a ScheduledTask for RunOnce / at startup to fire off the command to do this.
OK, I digress. So, all-in-all, there are a few ways to set up Kiosk Mode on windows and MS has documented Kiosk mode for some time now
(You don't say what OS you are targeting - as similar articles exits for them).
For Win 10 it is here:
Set up a single-app kiosk
The above provides direct instructions how to set this mode up in PowerShell, snippet of those steps below, but be sure to read the entire document.
Set up a kiosk using Windows PowerShell
App type: UWP OS edition: Windows 10 Pro, Ent, Edu Account type: Local
standard user
You can use any of the following PowerShell cmdlets to set up assigned
access on multiple devices. Before you run the cmdlet:
Log in as administrator.
Create the user account for Assigned Access.
Log in as the Assigned Access user account.
Install the Universal Windows app that follows the assigned
access/above the lock guidelines.
Log out as the Assigned Access user account.
Log in as administrator.
To open PowerShell on Windows 10, search for PowerShell and find
Windows PowerShell Desktop app in the results. Run PowerShell as
administrator.
# Configure assigned access by AppUserModelID and user name
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
# Configure assigned access by AppUserModelID and user SID
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
# Configure assigned access by app name and user name
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
# Configure assigned access by app name and user SID
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
Note To set up assigned access using -AppName, the user account that
you specify for assigned access must have logged on at least once.
Learn how to get the AUMID. Learn how to get the AppName (see
Parameters).
Related
I have a batch script with this command in it
installutil /account=user /Password=password /config="ServiceConfig.xml" /LogFile="ex.InstallLog" "Hosting.exe"
When i run the script in commandLine i have a creation process with ID 4688 logged in windows security logs with a password in plain text in IT .
How can i proceed to not show plain text password in the security logs?
I can't turn off the windows logs because they are used by the security team in my company and i can not use the local service credentials so i have to set it this way to be able to use the automated script .
I think I have found a solution to not show the password in plain text.
I have tested, and using this part in the scripts, I don't see the password in the event viewer.
First, save it as follows:
$cred = Get-Credential
$cred | Export-CliXml -Path "PATH\Cred.xml"
Then, use it in the scripts as follows:
$cred = Import-CliXml -Path $credPath
So far, I have not seen it again in plain text.
The exported credentials are only valid on the machine that generated the file and with the user that generated them.
I've written a small .ps1 script which automates simple commands in an attempt to fix any issues with the default printer on an end user's machine. How can I pass credentials in this script so that it always runs with elevated privileges?
net stop spooler
Remove-Item C:\Windows\System32\spool\PRINTERS\* -Force
net start spooler
This would be used across many different domains, but the admin username/password are consistent across all machines. I saw a similar question here, but the methods shown either involved saving the password as a .xml and then recalling it (which would make the password visible to the non admin), or the method simply wouldn't work for me; maybe it was my execution? Normally I wouldn't be comfortable scripting admin credentials into plain text, but the script isn't actually saved on the end users' machine, only executed in the background through RMM. Any help is appreciated.
I found the following article very helpful on how to secure credentials and use credentials stored on a text file:
http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-1/
basically you would do the following:
<password> | ConverTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File <filename>.txt
You will then have a secure string file that would store your password for use in your script. You could also use the following command in order to perform the same action without ever having to use a plain text password:
(Get-Credentail).Password | ConvertFrom-SecureString | Out-File <filename>.txt
You can then add the following code to your script in order to use the password stored, I would recommend a shared location that only the admin has access on the workstation, and use it to run the mentioned script:
$credentials = Get-Content <filename>.txt | ConvertTo-SecureString
The final step is creating an object to use the credintials:
$adminCredentails = New-Object -TypeName System.Management.Automation.PSCredentail -ArgumentList <username>, (Get-Content <filename>.txt | ConvertTo-SecureString)
I leave to your imagination how you can then use the credentials in your script.
How do I write a PowerShell 4.0 script to return the virtualization vs. physical status of Windows 2003, 2008 and 2012 servers? I want to know if these servers are virtual. I want to run the script on a central Windows server. The script will interact with remote servers. I know of a PowerShell command to run on individual servers that will tell me. But I want it to check many remote servers at a time. Here is my basic (not-yet-working) script for one server, but it isn't working:
$ComputerName = "greatServer"
$UserName = "greatServer\jdoe"
$Password = Get-Content C:\Users\jdoe\Documents\password.txt
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName , $Password
Get-WmiObject -Query "select * from win32_computersystem"
Here is the error that I get:
New-Object : Cannot find an overload for "PSCredential" and the argument count: "2".
At C:\Users\jdoe\Documents.pass.ps1:4 char:15 + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -Ar ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo InvalidOperation: (:) [New-Object], MethodException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
The final query will have to be modified with a remove * and a comparison operation. The manufacturer in the results will indicate if it is a VMware, Hyper-V or physical server (e.g., Dell). I don't need help with modifying the final query. The select * will work assuming it can work on remote servers.
I really want help with the error that I am getting. I have written a working script, but it requires a user to enter the password manually. I just want help to make the script non-interactive (and suppress the prompt). I have been unsuccessful with passing a password argument to get around the interactive password entry requirement.
Does the file that holds that password need to be encrypted? Will this work on remote servers that are Windows Server 2003? I reviewed other scripts I found online. The "cat C:\password.txt" portion didn't seem to work for me. I tried the convertTo-string and securestring options. Both those caused errors too.
A better way is to store the credential securely. You will need to do this using the same user that will run the script (which means you might have to log on to that server as the serviceaccount which will run the script).
Anyway, from there you can do:
$cred = get-credential # Type in the greatserver credential
$cred | Export-Clixml -Path .\cred.xml
In your script you can now load the credential simply by running
$cred = Import-Clixml -Path .\cred.xml
This is the recommended way of persisting credentials to disk. Obviously, if you require a unique credential for each server you want to query this wouldn't work so well - you'd be better off using a domain account which is an administrator on all your servers (provided that your servers are actually joined to a domain).
Check out this script from the Technet Script repository, it pretty much does precisely what you need to do already.
The key to determining if a machine is virtual or not is to query the Win32_Bios and Win32_ComputerSystem classes to to check for Bios.Serial and ComputerSystem.Model and Manufacturer.
The way that the script works is to get the results of these queries then check to see if the Serial number field contains VMware, Xen, Microsoft or something else.
It's a lot of work to go creating a tool like this on your own since you'd need to research what to expect for various fields like bios, manufacturer and model and do some heavy lifting with scripts to get the right answer; I'd highly recommend you use this function instead.
I've run into an interesting problem which I can't quite figure out. I have a script which is intended to launch a certain application with alternate credentials. I can launch the application perfectly well using alternate creds using explorer and right clicking and choosing "Run As Different User" or with "PSexec - domain\user -p password "c:\app.exe"" but if I attempt to launch using:
$username = "username"
$password = "password"
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList #($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Start-Process c:\app.exe -Credential ($credentials)
The application does in fact start using the alternate credentials but it then gets stuck in a loop/crashes. Using procmon it looks like it gets stuck on querying a directory that the app uses for caching, but I'm not sure it's relevant. I did try completely opening up the app folder ACL's (and all child objects recursively) to everyone but no luck. If I substitute other applications it works properly. I've used the "powershell" method to specify alt credentials with success many times before.
In any case, the script works fine using PSexec. I'd rather not have that dependency but it works for now. My question is, what is the difference from using the "powershell way" (using System.Management.Automation.PSCredential) to specify alternate credentials vs what PSexec or explorer is doing under the hood? I assume there must be something different going on and perhaps that information could help me trace why the application borks.
Thank you!
According to the technet pages of Start-Process and Psexec there is a difference in how the user profile is handled by default.
Start-Process does not load the profile unless you specify a switch:
-LoadUserProfile
Loads the Windows user profile stored in the HKEY_USERS registry key
for the current user. The default value is FALSE.
Psexec does always load the profile unless you specify a switch:
-e Does not load the specified account’s profile.
If the program expects some registry value for the cache location e.g. this could be a potential problem.
I'd like to run a windows application in the context of another user. I have an administrator and several user accounts in one machine and I would like to have the administrator start certain applications for each user account (preferably using shell commands).
I tried the runas command but that appears to run in the administrator session as the specified user. I want to run the application as the user session in the user context (hope that makes sense).
For example, using user administrator I would like to start notepad.exe so that user1 (logged in) can see it appear onscreen. Is that possible?
You can use PsExec for this : http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
use with argument : -i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session.
ex. This will start IE on other computer
psexec \client -i "c:\program files\internet explorer\iexplore.exe"
/René