sara2000
asked on
PS script and Password
I have to run a PS script that connects vCenter to get-VM info. Connect-VIserver -server requires the password. I do not want to put this password in the script.
How can I avoid this?
How can I avoid this?
ASKER
Right, i did that, i get windows pop-up asking me to enter user id and password.
I want to schedule that script via windiws task schedule. I do not want to put this user id in the script.
Will it ask everytime when the task runs or one time?
I want to schedule that script via windiws task schedule. I do not want to put this user id in the script.
Will it ask everytime when the task runs or one time?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to run it as a task, then you'll have to save password after all.
This is pretty safe, though.
Let the task run under your account (otherwise this won't work).
On the machine where you want to run the task, open a PS console and run (alter the path to your liking)
This is pretty safe, though.
Let the task run under your account (otherwise this won't work).
On the machine where you want to run the task, open a PS console and run (alter the path to your liking)
Get-Credential | Export-Clixml -Path C:\Temp\cred.xml
In your script, you import the credential like this:$cred = Import-Clixml C:\temp\cred.xml
The password can only be decrypted on the machine where it was encrypted, and by the user account who encrypted it.
ASKER
Does this mean that Get-Credential will pick the login user at the computer? If I have non-ad account for vcenter, how do I encrypt administrator@vsphere.loca l or non-ad account and its password(ABCDF) to store it in the file?
No … it won't pick the logged in user, but it will use the context of the logged in user to encrypt it.
So, if you saved it to the file, it will securely save the password for administrator@vsphere.loca l to the file.
However, only you can use the saved credentials in the script (and will no longer need to be prompted).
If anyone else attempts to use it, it will not work.
So, if you saved it to the file, it will securely save the password for administrator@vsphere.loca
However, only you can use the saved credentials in the script (and will no longer need to be prompted).
If anyone else attempts to use it, it will not work.
ASKER
PS is not my area. If i udersand cirrectly, your first part of the script will ask a username and password to store it in the file, am i correct?
Thanks.
Thanks.
Correct. You do that once … as a separate script. You don't put that into your vCenter script.
Get-Credential will only ask for any username/password combination and make sure that the password is kept safe; it doesn't care if it's a local user on the computer, an AD account, or Donald Duck.
The password you entered is never (not even in memory) stored as a clear text string, it's always encrypted. And as I said above, it's encrypted in such a way that only the account that entered the credentials can ever decrypt it again, and only on the machine where it was encrypted.
That is why the credentials need to be saved on the machine where the task is supposed to run, and with the user account that the task will run under.
You need to save the credentials only once initially, and after that only when either
* the VICenter account or its password changes
* the task is moved to another machine
* the account running the task is changed
Just try to copy the cred.xml file to another computer, and run the Import-Clixml command with it.
Or logon with another account on the same computer, and try the Import-Clixml with the other account on the same computer.
All you'll get is an error message, whereas the command will work just fine on the machine where you saved the credentials, and when logged on with the account you saved them with.
The password you entered is never (not even in memory) stored as a clear text string, it's always encrypted. And as I said above, it's encrypted in such a way that only the account that entered the credentials can ever decrypt it again, and only on the machine where it was encrypted.
That is why the credentials need to be saved on the machine where the task is supposed to run, and with the user account that the task will run under.
You need to save the credentials only once initially, and after that only when either
* the VICenter account or its password changes
* the task is moved to another machine
* the account running the task is changed
Just try to copy the cred.xml file to another computer, and run the Import-Clixml command with it.
Or logon with another account on the same computer, and try the Import-Clixml with the other account on the same computer.
All you'll get is an error message, whereas the command will work just fine on the machine where you saved the credentials, and when logged on with the account you saved them with.
ASKER
Thank you all for your contribution. I have one issue when I try to schedule.
The PS is asking me " are you sure you want to perform this action? when I test it manually.
I have to say "Yes" to continue to confirm
How do I achieve this in the script?
The PS is asking me " are you sure you want to perform this action? when I test it manually.
I have to say "Yes" to continue to confirm
How do I achieve this in the script?
Add
As in
-Confirm:$false
to the parameters of the cmdlet that asks.As in
Remove-Item C:\Temp\Test -Recurse -Confirm:$false
add -Force -Confirm:$false
ASKER
Thank you all, both solutions work perfectly, but I have an another issue with the task scheduler.
Task Scheduler says that the task scheduler is currently running (0x$1301). Can this issue with the script?
Task Scheduler says that the task scheduler is currently running (0x$1301). Can this issue with the script?
If the Task Scheduler thinks it's running, then it's running. Without knowing the script does, nobody can tell you any more.
You might want to add a log file to see what's happening.
You might want to add a log file to see what's happening.
Try {
Start-Transcript -Path C:\Temp\Whatever.log
# Your script goes here
} Catch {
$_ | Write-Error
} Finally {
Stop-Transcript
}
ASKER
Thank you for the help
Open in new window