[英]Can I change the server administrator password using PowerShell SecureString?
I'm looking to write a script that will change the administrator password on a remote server using PowerShell. 我正在寻找一个脚本,该脚本将使用PowerShell更改远程服务器上的管理员密码。 The following command will do this 以下命令将执行此操作
$Admin=[adsi]("WinNT://" + MyServer + "/Administrator, user")
$Admin.SetPassword("NewPassword")
But I would like to be able to hide the "NewPassword"
in the script to make it more secure. 但是我希望能够在脚本中隐藏"NewPassword"
以使其更安全。
So is there a way to save the "NewPassword"
to a secure .txt file then be able to use it like this? 那么,有没有一种方法可以将"NewPassword"
保存到安全的.txt文件中,然后再像这样使用它?
$Admin.SetPassword("$secureFile")
The script will be run as a scheduled task. 该脚本将作为计划任务运行。
Yes , you can use the ConvertTo-SecureString and ConvertFrom-SecureString cmdlets to encrypt the password before saving it to a file on disk. 是的 ,您可以使用ConvertTo-SecureString和ConvertFrom-SecureString cmdlet对密码进行加密,然后再将其保存到磁盘上的文件中。
However, keep in mind that you'll need an encryption key in order to encrypt/decrypt the password using the cmdlets. 但是,请记住, 您需要一个加密密钥才能使用cmdlet加密/解密密码。 From the documentation : 从文档中 :
If an encryption key is specified by using the
Key
orSecureKey
parameters, the Advanced Encryption Standard (AES) encryption algorithm is used. 如果使用Key
或SecureKey
参数指定了加密密钥,则使用高级加密标准(AES)加密算法。 The specified key must have a length of 128, 192, or 256 bits because those are the key lengths supported by the AES encryption algorithm. 指定的密钥长度必须为128、192或256位,因为这是AES加密算法支持的密钥长度。
If you don't specify a key, the Windows Data Protection API (DPAPI) will be used for the encryption. 如果您未指定密钥,则将使用Windows数据保护API(DPAPI)进行加密。 This means that the key will be tied to the user account who invoked the cmdlets. 这意味着该密钥将与调用cmdlet 的用户帐户绑定 。 Now, if you're running the script as a scheduled job this solution will work just fine. 现在,如果您将脚本作为计划作业运行,则此解决方案将可以正常工作。
Here's a couple of scripts that will save and read an encrypted password to an XML file on disk using a generated key: 这是几个脚本,这些脚本将使用生成的密钥将加密的密码保存并读取到磁盘上的XML文件中:
function Get-SecurePassword {
<#
.Synopsis
Gets a password stored securely in an XML file.
.Parameter Path
The path to the XML file to import the password from.
#>
[CmdletBinding()]
param(
[Parameter(Position=1)]
[string]$Path = "Password.xml"
)
if (Test-Path $Path) {
$cache = Import-Clixml $Path
$key = [System.Convert]::FromBase64String($cache.Secret)
$password = $cache.EncryptedPassword | ConvertTo-SecureString -Key $key
$password
}
}
function Set-SecurePassword {
<#
.Synopsis
Stores a password securely in an XML file.
.Parameter Path
The path to the XML file to export the password to.
#>
[CmdletBinding()]
param(
[Parameter(Position=1)]
[string]$Password,
[Parameter(Position=2)]
[string]$Path = "Password.xml"
)
$key = New-StrongPasswordBytes -Length 32
$textualKey = [System.Convert]::ToBase64String($key)
$securePassword = $Password | ConvertFrom-SecureString -Key $key
$cache = New-Object PSObject -Property @{ "EncryptedPassword" = $securePassword; "Secret" = $textualKey }
$cache.PSObject.TypeNames.Insert(0, "SecurePassword")
$cache | Export-Clixml $Path
}
function New-StrongPasswordBytes ($length) {
Add-Type -Assembly System.Web
$password = [System.Web.Security.Membership]::GeneratePassword($length, $length / 2)
[System.Text.Encoding]::UTF8.GetBytes($password)
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.