![]() |
|
Spaces home Richard Siddaway's BlogPhotosProfileFriendsMore ![]() | ![]() |
Richard Siddaway's BlogOf PowerShell and Other Things
July 05 Passwords: The last word?Comments from Martin and Stephen on this post - http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!1509.entry - have produced a solution that does what I want. I can use Read-Host to get a secure string - so I don't have to type the password in clear or store it in the script or anywhere else. I can then convert that into a form I can use to create an AD account where the account is enabled and the password is usable. $secpass = Read-Host "Password" -AsSecureString New-QADUser -FirstName "Jo" -LastName "Smith" -DisplayName "Jo Smith" -SamAccountName "josmith" ` Set-QADUser -Identity "manticore\josmith" -ObjectAttributes @{useraccountcontrol=512} As before we get the password as a secure string. We then use System.Management.Automation.PSCredential to generate a security credential. It is a dummy credential that we won't be using anywhere so the userid can be anything and for the password we use our secure string. We then create the user account as before except we use $cred.GetNetworkCredential().Password to get the password in a form that is usable by AD. More info on System.Management.Automation.PSCredential can be found here http://msdn.microsoft.com/en-us/library/system.management.automation.pscredential(VS.85).aspx Thank you to every one who has commented on this series of posts. If the answer is out there the PowerShell community will find it.
Technorati Tags: PowerShell,Active Directory July 04 By The WayWith reference to my last post - I finally read down to the bottom of the post I quoted and saw the comment about put " " round the password when trying to set it. It allows the creation of the account and account enabling but the password is not usable to logon. I have a password history of 24 set on the domain but it still let me change the users password in AD Users & Computers to the value that I had tried to set as a secure string meaning that whatever the password was set to it wasn't what I thought it was. Still looks like you can't use secure strings as passwords. Unless someone knows better. If so please let me know as I am intrigued by this.
Technorati Tags: PowerShell,Active Directory
Passwords when creating AD UsersIn this post http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!1504.entry I showed how to create a user account in AD as part of a series in developing functionality in a script. In a comment Bruno pointed out I had an error in the script in that I was using $defaultPassword = Read-Host "Please enter default Password" -asSecureString to get a password and then using $newuser.SetPassword($defaultPassword.ToString()) to set the password. If a user tries to logon with that password the logon attempt will fail. If you don't use the .ToString() method when setting the password the operation will fail, a password will not be set and the account will not be enabled. The password must be entered as an ordinary string if using Read-Host or embedded in the script or passed as an argument. Unless you use the code Bruno obtained http://blog.netnerds.net/2007/07/powershell-exception-has-been-thrown-by-the-target-of-an-invocation/ you will not be able to use a secure string in your script and have the user logon This started me wondering about the AD cmdlets and how they behaved so I tried a similar script $password = Read-Host "Password" -AsSecureString New-QADUser -FirstName "Jo" -LastName "Smith" -DisplayName "Jo Smith" -SamAccountName "josmith" ` Set-QADUser -Identity "manticore\josmith" -ObjectAttributes @{useraccountcontrol=512} and ran through a similar exercise: - get password as secure string => password setting fails - get password as secure string and convert to string => user created but can't logon - get password as string => account created and user can logon To summarise - we can't use a secure string as the password when creating AD accounts. This is a pity as we now have to either type the password on screen during the creation process or embed it in the script. My immediate recommendation would be to use Read-Host but then use CLS to immediately clear the screen and remove the password from view. Alternatively embed the password in the script but don't enable the script. You could then reset the password and enable the account as a second phase. My preference is for the first method. I am using PowerShell V2 CTP2 and the latest version of the cmdlets so I don't think it is a version issue. The other annoyance is that using secure string made for a good demo - time to change that as well. On the other hand this does show the strength of the PowerShell community in catching this error. Thanks to Bruno
Technorati Tags: PowerShell,Active Directory
IIS providerInstalled the IIS provider. One quick thing to note is that if you don't start PowerShell with elevated permissions you will see the following message Process should have elevated status to access IIS configuration data.
Technorati Tags: PowerShell,IIS 7 July 03 IIS 7 PowerShell provider CTP 2CTP 2 of the IIS 7 PowerShell provider is available. There is a large increase in the number of cmdlets available: Backup-WebConfiguration The provider can be downloaded from iis.net. More details here http://blogs.msdn.com/powershell/default.aspx I will be looking at this very soon. The additional cmdlets look very good.
Technorati Tags: PowerShell,IIS7
|
|
||||
|
|