Reputation: 631
ConvertTo-SecureString how to use use password from file
I would like to use encrypted credentials to log in to domain (without admin interference)i Found below script to encrypt password. I will deploy file with encrypted password to machines
$password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force |Out-File "C:\Temp\Password.txt"
$secureString = Get-Content "C:\Temp\Password.txt" | ConvertTo-SecureString
$User = "MyUserName"
$File = "C:\Temp\Password.txt"
$MyCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $File | ConvertTo-SecureString)
I would like to use variable "$MyCredential" that stores User and encrypted password in file then join to domain uses that. Not sure how.
Upvotes: 0
Views: 879
Answers (1)
Reputation: 13537
As a totally different approach to your question, given that these machines are running Windows 10, you can create MDM Enrollment Packages using Windows Image Configuration and Designer (WICD), which can contain instructions to enroll a machine on a domain.
The user experience would be that you distribute the file (WICD generates a .PPKG or provisioning package file type, which Windows 8.1 and up can natively use), either by a thumbdrive or e-mail, or another method, and then someone double-clicks the file and it would seemlessly enroll the device in the domain from there.
How to create a domain enrollment package
Launch WICD then choose 'Advanced Provisioning' from the bottom of the list of options. Provide a path to save the file.
Next, expand out to this path Runtime Settings\Accounts\ComputerAccount
The minimum settings you'll need to provide are:
- DomainName - Name of the domain to join
- Account - Account with domain join perms
- Password - Password of the above account
- AccountOU (optional) - the OU into which the device should be placed after enrollment
When this is done, you'll see the following in the column on the right.
Finally, export the Package by clicking Export \ Provisioning Package. A word of caution, the password will be obfuscated within the provisioning package, but a very determined assailant could recover the PW.
Optional configurations you might like
If you have the means, you could optionally Sign the package, if your target machines trust a certificate you can issue, for added convenience. If you use this route, the enrollment will be completely silent and the user will not have to click 'Accept'. I provide details on doing that in this blog post.
If you don't Sign the package, a user will have to click 'OK', as shown in this screenshot.
If you choose to apply Encryption to the package, you'll need to also come up with a share the password to your target users. This adds extra security to the contents of the package.
I know this is different than you originally asked, but in my mind and experience, this is the safest and most professional way you could approach enrolling existing machines into your environment safely and securely.
Upvotes: 1
Related Questions
- Convert a secure string to plain text
- Converting SecureString stored in text file back to readable string
- How to pass the password as argument in Powershell script and convert to secure string
- PowerShell - Decode System.Security.SecureString to readable password
- How can I use ConvertTo-SecureString
- ConvertFrom-SecureString not encrypting string
- Decrypt SecureString from Powershell with C#
- Create a securestring with a password securekey
- PowerShell ConvertTo-SecureString Syntax
- ConvertTo-SecureString - use encrypted password for everyone