Reputation: 629
Is .SetPassword secure
I'm using the following code to update multiple administrator passwords on managed computers. I have looked up documentation, but I cannot determine if the .setpassword command is secure over the network. Is it encrypted in any fashion?
I've heard mention that Powershell sometimes encrypts commands using the network credentials of the logged-in user, but I cannot verify that.
foreach($computer in Get-Content "hosts.txt") {
>> $adminUser = [ADSI] "WinNT://$computer/Administrator"
>> $adminpassword = ...
>> Write-Output $computer
>> Write-Output $adminpassword
>> $adminUser.SetPassword($adminpassword)
>> }
Upvotes: 1
Views: 138
Answers (1)
Reputation: 573
Maybe. I wish could say yes or no. It depends. [grin]
Source: https://learn.microsoft.com/en-us/windows/win32/api/iads/nf-iads-iadsuser-setpassword
The LDAP provider for Active Directory uses one of three processes to set the password; third-party LDAP directories such as iPlanet do not use this password authentication process. The method may vary according to the network configuration. Attempts to set the password occur in the following order:
First, the LDAP provider attempts to use LDAP over a 128-bit SSL connection. For LDAP SSL to operate successfully, the LDAP server must have the appropriate server authentication certificate installed and the clients running the ADSI code must trust the authority that issued those certificates. Both the server and the client must support 128-bit encryption. Second, if the SSL connection is unsuccessful, the LDAP provider attempts to use Kerberos. Third, if Kerberos is unsuccessful, the LDAP provider attempts a NetUserSetInfo API call. In previous releases, ADSI called NetUserSetInfo in the security context in which the thread was running, and not the security context specified in the call to IADsOpenDSObject::OpenDSObject or ADsOpenObject. In later releases, this was changed so that the ADSI LDAP provider would impersonate the user specified in the OpenDSObject call when it calls NetUserSetInfo. In Active Directory, the caller must have the Reset Password extended control access right to set the password with this method
Upvotes: 2
Related Questions
- Is it secure to use a password argument in a Windows command?
- How to pass the password as argument in Powershell script and convert to secure string
- Converting local user password to secure string does not work
- Securing passwords in PowerShell scripts
- unable to set password with the script
- Is it safe to store passwords in powershell's $env variable?
- Running a PowerShell Script
- Powershell Secure password to work on any machine
- How to ensure that password is entered?
- Use Powershell to change password on login