PS script and Password

sara2000
sara2000 used Ask the Experts™
on
I have to run a PS script that connects vCenter to get-VM info. Connect-VIserver -server requires the password. I do not want to put this password in the script.
How can I avoid this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
With Get-Credential:
$cred = Get-Credential -Message "Enter the VCenter Credentials"    # you can optionally add a default user using -UserName <DefaultUsername>
Connect-VIServer -Server ... -Credential $cred

Open in new window

Author

Commented:
Right, i did that, i get windows pop-up  asking me to enter user id and password.
I want to schedule that script via windiws task schedule. I do not want to put this user id in the script.
Will it ask everytime when the task runs or one time?
Citrix Technology Professional / Director of TechDev Services, IPM
Commented:
You do this only once:
$creds = Get-Credential
$pwLocation = "C:\PowerShell\Credentials\secureCreds.txt"
$creds.Password | ConvertFrom-SecureString | Set-Content $pwLocation

Open in new window


You can then use this in your PowerShell script:
$userName = "username@domain.com"
$pwLocation = "C:\PowerShell\Credentials\secureCreds.txt"
$securePW = Get-Content $pwLocation | ConvertTo-SecureString
$creds  = New-object System.Management.Automation.PSCredential($userName,$securePW)
Connect-VIServer -Server ... -Credential $creds

Open in new window

Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
If you want to run it as a task, then you'll have to save password after all.
This is pretty safe, though.
Let the task run under your account (otherwise this won't work).
On the machine where you want to run the task, open a PS console and run (alter the path to your liking)
Get-Credential | Export-Clixml -Path C:\Temp\cred.xml

Open in new window

In your script, you import the credential like this:
$cred = Import-Clixml C:\temp\cred.xml

Open in new window

The password can only be decrypted on the machine where it was encrypted, and by the user account who encrypted it.

Author

Commented:
Does this mean that Get-Credential will pick the login user at the computer? If I have non-ad account for vcenter, how do I encrypt administrator@vsphere.local or non-ad account and its password(ABCDF) to store it in the file?
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
No … it won't pick the logged in user, but it will use the context of the logged in user to encrypt it.
So, if you saved it to the file, it will securely save the password for administrator@vsphere.local to the file.
However, only you can use the saved credentials in the script (and will no longer need to be prompted).
If anyone else attempts to use it, it will not work.

Author

Commented:
PS is not my area. If i udersand cirrectly, your first part of the script will ask a username and password to store it in the file, am i correct?
Thanks.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Correct. You do that once … as a separate script. You don't put that into your vCenter script.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Get-Credential will only ask for any username/password combination and make sure that the password is kept safe; it doesn't care if it's a local user on the computer, an AD account, or Donald Duck.
The password you entered is never (not even in memory) stored as a clear text string, it's always encrypted. And as I said above, it's encrypted in such a way that only the account that entered the credentials can ever decrypt it again, and only on the machine where it was encrypted.
That is why the credentials need to be saved on the machine where the task is supposed to run, and with the user account that the task will run under.
You need to save the credentials only once initially, and after that only when either
* the VICenter account or its password changes
* the task is moved to another machine
* the account running the task is changed
Just try to copy the cred.xml file to another computer, and run the Import-Clixml command with it.
Or logon with another account on the same computer, and try the Import-Clixml with the other account on the same computer.
All you'll get is an error message, whereas the command will work just fine on the machine where you saved the credentials, and when logged on with the account you saved them with.

Author

Commented:
Thank you all for your contribution. I have one issue when I try to schedule.
The PS is asking me " are you sure you want to perform this action? when I test it manually.
I have to say "Yes" to continue to confirm
How do I achieve this in the script?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Add
-Confirm:$false

Open in new window

to the parameters of the cmdlet that asks.
As in
Remove-Item C:\Temp\Test -Recurse -Confirm:$false

Open in new window

Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
add -Force  -Confirm:$false

Author

Commented:
Thank you all, both solutions work perfectly, but I have an another issue with the task scheduler.
Task Scheduler says that the task scheduler is currently running (0x$1301). Can this issue with the script?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
If the Task Scheduler thinks it's running, then it's running. Without knowing the script does, nobody can tell you any more.
You might want to add a log file to see what's happening.
Try {
	Start-Transcript -Path C:\Temp\Whatever.log
	# Your script goes here
} Catch {
	$_ | Write-Error
} Finally {
	Stop-Transcript
}

Open in new window

Author

Commented:
Thank you for the help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial