Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I encrypt passwords in Powershell?

Posted on 2011-02-18
2
Medium Priority
?
907 Views
Last Modified: 2012-05-11
I have a Powershell script that resets passwords but in clear text. I need to encrypt the (or just astrick) the password.

Thanks, Missymadi
# Ask for a username

$Username = Read-Host "Enter UserName"

# Search for the user(s)

$Users = Get-QADUser -SamAccountName $Username | Select-Object Name, DN, 
  PasswordLastSet, PasswordAge,PasswordExpires, PasswordNeverExpires, 
  UserMustChangePassword, PasswordIsExpired, PasswordStatus


# Display the user(s)

$Users

# Ask if they wish to proceed

$Response = Read-Host "Do you want to reset the user's password?`n[1] Yes, [2] No"

# Ask for password 

$Password1 = Read-Host "Please enter a password to use"
$Password2 = Read-Host "Please re-enter the password to confirm"

If ($Password1 -ne $Password2) {

  Write-Host "Passwords do not match. Aborting script." -ForegroundColor Red

} Else {

  # Perform work

  If ($Response -eq "1" ) {
    # For each user we found earlier, set the password. Log a few things and the name of the 
    # user running this script 

    $Users | ForEach-Object { 
      Set-QADUser $_.DN -UserPassword $Password1
      Write-Host "Password reset for $($_.Name)"
    } | Select-Object SamAccountName, PasswordLastSet, @{n='SetBy';e={ $Env:Username }} |
      Out-File c:\PwdChanged.txt -Append
  }
}

Open in new window

0
Comment
Question by:missymadi
2 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34930939
If you want to just hide the password on the conosle add -assecurestring to the end

$Password1 = Read-Host "Please enter a password to use"  -assecurestring

I am not sure if you will be able to compare the two passwords after you do that. You will have to test.


0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 34932315
You can read it in as a secure string, as described above. The trick is getting it back to plain text format so it can be used with -UserPassword and in the comparison (testing Password1 against Password2).

We can do that like this:
$Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
  [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password1))

Open in new window

Putting that inline we get this; I've added this change to the latest version of the script posted in http:Q_26832272.html rather than the snippet above.
# Ask for a username

$Username = Read-Host "Enter UserName"

# Search for the user(s)

$Users = Get-QADUser -SamAccountName $Username | Select-Object Name, DN, 
  PasswordLastSet, PasswordAge,PasswordExpires, PasswordNeverExpires, 
  UserMustChangePassword, PasswordIsExpired, PasswordStatus

# Display the user(s)

$Users

If ($Users) {

  # Ask if they wish to proceed

  $Response = Read-Host "Do you want to reset the user's password?`n[1] Yes, [2] No"

  If ($Response -eq "1") {

    # Ask for password 

    $SecurePassword1 = Read-Host "Please enter a password to use" -AsSecureString
    $SecurePassword2 = Read-Host "Please re-enter the password to confirm" -AsSecureString

    $Password1 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
      [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword1))
    $Password2 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
      [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword2))

    If ($Password1 -ne $Password2) {

      Write-Host "Passwords do not match. Aborting script." -ForegroundColor Red

    } Else {

      # Perform work

      # For each user we found earlier, set the password. Log a few things and the name of the 
      # user running this script 

      $Users | ForEach-Object { 
        Set-QADUser $_.DN -UserPassword $Password1
        Write-Host "Password reset for $($_.Name)"
      } | Select-Object SamAccountName, PasswordLastSet, @{n='SetBy';e={ $Env:Username }} |
        Out-File c:\PwdChanged.txt -Append
    }
  }
} Else {

  Write-Host "No users found" -ForegroundColor Red

}

Open in new window

There may be another way, but this is the way I know.

HTH

Chris
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question