Solved

How do I encrypt passwords in Powershell?

Posted on 2011-02-18
2
900 Views
Last Modified: 2012-05-11
I have a Powershell script that resets passwords but in clear text. I need to encrypt the (or just astrick) the password.

Thanks, Missymadi
# Ask for a username

$Username = Read-Host "Enter UserName"

# Search for the user(s)

$Users = Get-QADUser -SamAccountName $Username | Select-Object Name, DN, 
  PasswordLastSet, PasswordAge,PasswordExpires, PasswordNeverExpires, 
  UserMustChangePassword, PasswordIsExpired, PasswordStatus


# Display the user(s)

$Users

# Ask if they wish to proceed

$Response = Read-Host "Do you want to reset the user's password?`n[1] Yes, [2] No"

# Ask for password 

$Password1 = Read-Host "Please enter a password to use"
$Password2 = Read-Host "Please re-enter the password to confirm"

If ($Password1 -ne $Password2) {

  Write-Host "Passwords do not match. Aborting script." -ForegroundColor Red

} Else {

  # Perform work

  If ($Response -eq "1" ) {
    # For each user we found earlier, set the password. Log a few things and the name of the 
    # user running this script 

    $Users | ForEach-Object { 
      Set-QADUser $_.DN -UserPassword $Password1
      Write-Host "Password reset for $($_.Name)"
    } | Select-Object SamAccountName, PasswordLastSet, @{n='SetBy';e={ $Env:Username }} |
      Out-File c:\PwdChanged.txt -Append
  }
}

Open in new window

0
Comment
Question by:missymadi
2 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34930939
If you want to just hide the password on the conosle add -assecurestring to the end

$Password1 = Read-Host "Please enter a password to use"  -assecurestring

I am not sure if you will be able to compare the two passwords after you do that. You will have to test.


0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34932315
You can read it in as a secure string, as described above. The trick is getting it back to plain text format so it can be used with -UserPassword and in the comparison (testing Password1 against Password2).

We can do that like this:
$Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
  [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password1))

Open in new window

Putting that inline we get this; I've added this change to the latest version of the script posted in http:Q_26832272.html rather than the snippet above.
# Ask for a username

$Username = Read-Host "Enter UserName"

# Search for the user(s)

$Users = Get-QADUser -SamAccountName $Username | Select-Object Name, DN, 
  PasswordLastSet, PasswordAge,PasswordExpires, PasswordNeverExpires, 
  UserMustChangePassword, PasswordIsExpired, PasswordStatus

# Display the user(s)

$Users

If ($Users) {

  # Ask if they wish to proceed

  $Response = Read-Host "Do you want to reset the user's password?`n[1] Yes, [2] No"

  If ($Response -eq "1") {

    # Ask for password 

    $SecurePassword1 = Read-Host "Please enter a password to use" -AsSecureString
    $SecurePassword2 = Read-Host "Please re-enter the password to confirm" -AsSecureString

    $Password1 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
      [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword1))
    $Password2 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
      [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword2))

    If ($Password1 -ne $Password2) {

      Write-Host "Passwords do not match. Aborting script." -ForegroundColor Red

    } Else {

      # Perform work

      # For each user we found earlier, set the password. Log a few things and the name of the 
      # user running this script 

      $Users | ForEach-Object { 
        Set-QADUser $_.DN -UserPassword $Password1
        Write-Host "Password reset for $($_.Name)"
      } | Select-Object SamAccountName, PasswordLastSet, @{n='SetBy';e={ $Env:Username }} |
        Out-File c:\PwdChanged.txt -Append
    }
  }
} Else {

  Write-Host "No users found" -ForegroundColor Red

}

Open in new window

There may be another way, but this is the way I know.

HTH

Chris
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief introduction to what I consider to be the best editor for PowerShell.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question