[英]How to make windows' runas.exe take password from credential manager with no prompt?
I am trying to create a shortcut that would take credentials from the credential manager, like so 我正在尝试创建一个快捷方式,该快捷方式将从凭据管理器获取凭据,就像这样
cd C:\code\Kodex-1.4.3\EPD_Prerequisite\Anaconda2\
$line1 = "cd C:\Code\EPMD\Kodex-1.4.4\Applications\Bin\EpmdTaskManager"
$line2 = "start EpmdTaskManagerGui.exe hide"
$line1 | out-file auto1.bat -Encoding Ascii
$line2 | Out-File -append auto1.bat -Encoding Ascii
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("C:\Users\matanv.HOBART\Desktop\Kodex 1.4.4.lnk")
$Shortcut.TargetPath = """C:\WINDOWS\system32\runas.exe"""
$argA = "/user:%computername%\Admin /savecred"
$argB = """C:\code\Kodex-1.4.3\EPD_Prerequisite\Anaconda2\auto.bat"""
$Shortcut.Arguments = $argA + " " + $argB
$Shortcut.Save()
This works fine, with one problem: The first time I run the script, I get promted for password. 这可以正常工作,但有一个问题:第一次运行脚本时,系统提示输入密码。
I want to never get prompted for password, and to store it in the credential manager using some (maybe other) script. 我希望永远不会提示输入密码,并使用某些(也许其他)脚本将其存储在凭证管理器中。
How can it be done? 如何做呢?
Thanks 谢谢
Moving from comment to here for OP 从评论移至此处以查看OP
Here's the thing to keep in mind with this savecred thing. 使用savecred时要牢记这一点。 It's really dangerous, depending on where you are using it.
这真的很危险,具体取决于您在哪里使用它。 Once you do it, like you've noted, AL you have to do is pass the account name and never get prompted, which means, anyone with even the simplest of skills, could walk up to and take over this machine, even if you delete the shortcut that started it, those creds are always live, and once can create any shortcut, set the properties, and they are off to the races.
如您所述,一旦完成操作,您必须做的就是传递帐户名并且永远不会提示您,这意味着,即使是最简单的技能,任何人都可以上手并接管这台机器,即使您删除启动它的快捷方式,这些信誉始终存在,并且一旦可以创建任何快捷方式,设置属性,便可以开始比赛了。
Hence, though savecred is really convenient, it should be limited to only machines in absolute control of the person using it. 因此,尽管savecred确实很方便,但应仅限于绝对控制使用它的人的机器。 For Example.
例如。
Anyway, you an get creds into CredMan, without using RunAs /SaveCred, yes, even with PowerShell. 无论如何,您无需使用RunAs / SaveCred就可以使用CredMan,即使使用PowerShell也可以。 The a many scripts online to show you how, even ones directly from the TechNet Powershell Gallery, and the MS powershellgallery.com.
在线上有很多脚本向您展示如何运行,甚至直接来自TechNet Powershell画廊和MS powershellgallery.com。
How to add credentials to the Windows Vault (PowerShell) 如何将凭据添加到Windows Vault(PowerShell)
This PowerShell script shows how add credentials for specific users.
该PowerShell脚本显示了如何为特定用户添加凭据。
Download : addwindowsCredential.zip 下载: addwindowsCredential.zip
CredentialManager 2.0 CredentialManager 2.0
From powershellgallery.com, via your PowerShell session. 从powershellgallery.com,通过PowerShell会话。
Find-Module -Name '*credentialmanager*' | Format-Table -AutoSize
Version Name Repository Description
------- ---- ---------- -----------
2.0 CredentialManager PSGallery Provides access to credentials in the Windows Credential Manager
1.1.1.0 IntelliTect.CredentialManager PSGallery Provides an easy-to-use interface to the Windows Credential Manager via PowerShell.
1.0.9 pscredentialmanager PSGallery This module allows management and automation of Windows cached credentials.
1.0.0.0 BAMCIS.CredentialManager PSGallery Provides a PowerShell wrapper around the Windows Credential Manager Win32 APIs.
See also: 也可以看看:
Manipulate credentials in the Windows 8/2012 PasswordVault using Powershell 使用Powershell在Windows 8/2012 PasswordVault中处理凭据
This module demonstrates how to use the new Windows 8/2012 PasswordVault API from Powershell.
本模块演示了如何使用Powershell中的新Windows 8/2012 PasswordVault API。
Download : PasswordVault.psm1 下载: PasswordVault.psm1
You can also do this with the built-in cmdkey.exe 您也可以使用内置的cmdkey.exe执行此操作
Creates, lists, and deletes stored user names and passwords or credentials.
创建,列出和删除存储的用户名以及密码或凭据。
But you would need to run in the user context to do this, and that is what MS SysInternals PSExec can provide. 但是您需要在用户上下文中运行才能执行此操作,而这正是MS SysInternals PSExec可以提供的。 Just create a ScheduledTask for RunOnce / at startup to fire off the command to do this.
只需在启动时为RunOnce /创建ScheduledTask即可启动命令来执行此操作。
OK, I digress. 好,我离题了。 So, all-in-all, there are a few ways to set up Kiosk Mode on windows and MS has documented Kiosk mode for some time now
因此,总的来说,有几种方法可以在Windows上设置Kiosk模式,而MS已经记录了Kiosk模式已有一段时间了。
(You don't say what OS you are targeting - as similar articles exits for them). (您不会说您要针对的是什么操作系统-因为类似的文章已经针对他们而存在)。
For Win 10 it is here: 对于Win 10,它在这里:
Set up a single-app kiosk 设置单应用信息亭
The above provides direct instructions how to set this mode up in PowerShell, snippet of those steps below, but be sure to read the entire document. 上面提供了直接说明,说明如何在PowerShell中设置此模式,下面是这些步骤的摘要,但请务必阅读整个文档。
Set up a kiosk using Windows PowerShell
使用Windows PowerShell设置信息亭
App type: UWP OS edition: Windows 10 Pro, Ent, Edu Account type: Local standard user
应用类型:UWP操作系统版本:Windows 10 Pro,Ent,Edu帐户类型:本地标准用户
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
您可以使用以下任何PowerShell cmdlet在多个设备上设置分配的访问权限。 Before you run the cmdlet:
在运行cmdlet之前:
- Log in as administrator.
以管理员身份登录。
- Create the user account for Assigned Access.
创建分配访问权限的用户帐户。
- Log in as the Assigned Access user account.
以“分配的访问”用户帐户登录。
- Install the Universal Windows app that follows the assigned access/above the lock guidelines.
安装遵循分配的访问权限/高于锁定准则的Universal Windows应用程序。
- Log out as the Assigned Access user account.
以“分配的访问”用户帐户注销。
- Log in as administrator.
以管理员身份登录。
To open PowerShell on Windows 10, search for PowerShell and find Windows PowerShell Desktop app in the results.
要在Windows 10上打开PowerShell,请搜索PowerShell并在结果中找到Windows PowerShell桌面应用程序。 Run PowerShell as administrator.
以管理员身份运行PowerShell。
# Configure assigned access by AppUserModelID and user name
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
# Configure assigned access by AppUserModelID and user SID
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
# Configure assigned access by app name and user name
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
# Configure assigned access by app name and user SID
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
Note To set up assigned access using -AppName, the user account that you specify for assigned access must have logged on at least once.
注意:要使用-AppName设置分配的访问权限,您为分配的访问权限指定的用户帐户必须至少登录一次。 Learn how to get the AUMID.
了解如何获取AUMID。 Learn how to get the AppName (see Parameters).
了解如何获取AppName(请参阅参数)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.