带凭证的 Powershell 远程处理

Question

While running remoting commands like Enable-PsSession , Invoke-command etc. we need to provide credentials with those commands.

I don't want to provide the credentials every time while executing these command.

Also lets say I stored the username in variable & using the variable while executing the command. I want to do this for the password as well. Could I do that ?

Eg:

Invoke-Command -ComputerName mycomputer -ScriptBlock { Get-ChildItem C:\ } -credential  mydomain\administrator

So here I am providing the password everytime while executing these command.

How should the commands take username & password automatically either from variable & some other mechanism ?

Answer 1

You can do:

$cred = get-credential #fill you credential in the pop-up window

and then:

Invoke-Command -ComputerName mycomputer -ScriptBlock { Get-ChildItem C:\ } -credential $cred

Remember that the password in $cred is easily recoverable in clear text!

Answer 2

Encrypt everything. Create an object calling the decrypted info as the password. Use it like that:

read-host -assecurestring | convertfrom-securestring | out-file C:\localdrivespace\username-password-encrypted.txt
$username = "domain\username"
$password = cat C:\localdrivespace\username-password-encrypted.txt | convertto-securestring
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Answer 3

Powershell will default to the credentials of the user running the powershell session, if none are specified explicitly.

So if you run Powershell as a user with administrative privileges on the remote machine, you don't have to enter credentials when running the commands.

What you can do is you can create a scheduled task with stored credentials for a service account, and allow users (or just yourself) access to run the task.

http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/12/use-scheduled-tasks-to-run-powershell-commands-on-windows.aspx

Or you can store credentials in the Windows credential manager, which means they're encrypted using your Windows user.

https://gist.github.com/toburger/2947424

However with the credential manager solution, any user able to run scripts in your context will be able to extract the password in clear text.

This isn't a problem though, if you only use this for yourself, or if every admin running the scripts does so from his own user context.

Answer 4

Any automated script requiring a password is flawed. Comments in the other answers show how easy it is to reverse a secure string.

• Create a credentials variable: $cred = get-credential mydomain\\me
• Store the credentials in an xml export file: $cred | export-clixml credfile.xml $cred | export-clixml credfile.xml
• Obscure the file; add hidden attributes etc
• Load the credentials when needed: $cred=import-xmlcli \\hidden\\credfile.xml
• Execute the command requiring credentials: enter-pssession -computername server -credential $cred

This is what I do.