Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I encrypt passwords in Powershell?

Posted on 2011-02-18
2
Medium Priority
?
906 Views
Last Modified: 2012-05-11
I have a Powershell script that resets passwords but in clear text. I need to encrypt the (or just astrick) the password.

Thanks, Missymadi
# Ask for a username

$Username = Read-Host "Enter UserName"

# Search for the user(s)

$Users = Get-QADUser -SamAccountName $Username | Select-Object Name, DN, 
  PasswordLastSet, PasswordAge,PasswordExpires, PasswordNeverExpires, 
  UserMustChangePassword, PasswordIsExpired, PasswordStatus


# Display the user(s)

$Users

# Ask if they wish to proceed

$Response = Read-Host "Do you want to reset the user's password?`n[1] Yes, [2] No"

# Ask for password 

$Password1 = Read-Host "Please enter a password to use"
$Password2 = Read-Host "Please re-enter the password to confirm"

If ($Password1 -ne $Password2) {

  Write-Host "Passwords do not match. Aborting script." -ForegroundColor Red

} Else {

  # Perform work

  If ($Response -eq "1" ) {
    # For each user we found earlier, set the password. Log a few things and the name of the 
    # user running this script 

    $Users | ForEach-Object { 
      Set-QADUser $_.DN -UserPassword $Password1
      Write-Host "Password reset for $($_.Name)"
    } | Select-Object SamAccountName, PasswordLastSet, @{n='SetBy';e={ $Env:Username }} |
      Out-File c:\PwdChanged.txt -Append
  }
}

Open in new window

0
Comment
Question by:missymadi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34930939
If you want to just hide the password on the conosle add -assecurestring to the end

$Password1 = Read-Host "Please enter a password to use"  -assecurestring

I am not sure if you will be able to compare the two passwords after you do that. You will have to test.


0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 34932315
You can read it in as a secure string, as described above. The trick is getting it back to plain text format so it can be used with -UserPassword and in the comparison (testing Password1 against Password2).

We can do that like this:
$Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
  [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password1))

Open in new window

Putting that inline we get this; I've added this change to the latest version of the script posted in http:Q_26832272.html rather than the snippet above.
# Ask for a username

$Username = Read-Host "Enter UserName"

# Search for the user(s)

$Users = Get-QADUser -SamAccountName $Username | Select-Object Name, DN, 
  PasswordLastSet, PasswordAge,PasswordExpires, PasswordNeverExpires, 
  UserMustChangePassword, PasswordIsExpired, PasswordStatus

# Display the user(s)

$Users

If ($Users) {

  # Ask if they wish to proceed

  $Response = Read-Host "Do you want to reset the user's password?`n[1] Yes, [2] No"

  If ($Response -eq "1") {

    # Ask for password 

    $SecurePassword1 = Read-Host "Please enter a password to use" -AsSecureString
    $SecurePassword2 = Read-Host "Please re-enter the password to confirm" -AsSecureString

    $Password1 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
      [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword1))
    $Password2 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
      [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword2))

    If ($Password1 -ne $Password2) {

      Write-Host "Passwords do not match. Aborting script." -ForegroundColor Red

    } Else {

      # Perform work

      # For each user we found earlier, set the password. Log a few things and the name of the 
      # user running this script 

      $Users | ForEach-Object { 
        Set-QADUser $_.DN -UserPassword $Password1
        Write-Host "Password reset for $($_.Name)"
      } | Select-Object SamAccountName, PasswordLastSet, @{n='SetBy';e={ $Env:Username }} |
        Out-File c:\PwdChanged.txt -Append
    }
  }
} Else {

  Write-Host "No users found" -ForegroundColor Red

}

Open in new window

There may be another way, but this is the way I know.

HTH

Chris
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question