0

I've written a small .ps1 script which automates simple commands in an attempt to fix any issues with the default printer on an end user's machine. How can I pass credentials in this script so that it always runs with elevated privileges? 

net stop spooler

Remove-Item C:\Windows\System32\spool\PRINTERS\* -Force

net start spooler

This would be used across many different domains, but the admin username/password are consistent across all machines. I saw a similar question here, but the methods shown either involved saving the password as a .xml and then recalling it (which would make the password visible to the non admin), or the method simply wouldn't work for me; maybe it was my execution? Normally I wouldn't be comfortable scripting admin credentials into plain text, but the script isn't actually saved on the end users' machine, only executed in the background through RMM. Any help is appreciated.

Community
  • 1
  • 1
Conner X
  • 115
  • 10

1 Answers1

0

I found the following article very helpful on how to secure credentials and use credentials stored on a text file:

http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-1/

basically you would do the following:

<password> | ConverTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File <filename>.txt

You will then have a secure string file that would store your password for use in your script. You could also use the following command in order to perform the same action without ever having to use a plain text password:

(Get-Credentail).Password | ConvertFrom-SecureString | Out-File <filename>.txt

You can then add the following code to your script in order to use the password stored, I would recommend a shared location that only the admin has access on the workstation, and use it to run the mentioned script:

$credentials = Get-Content <filename>.txt | ConvertTo-SecureString

The final step is creating an object to use the credintials:

$adminCredentails = New-Object -TypeName System.Management.Automation.PSCredentail -ArgumentList <username>, (Get-Content <filename>.txt | ConvertTo-SecureString)

I leave to your imagination how you can then use the credentials in your script.

JCK
  • 1
  • 1
  • This is the most helpful solution I've seen so far, especially since I don't have to fiddle with any domain names. Nothing I've seen actually demonstrates how to use the new credential object to auto-fill the credential prompt. I'm new to automation, so if you or anyone else could point me in the right direction it'd be appreciated. – Conner X May 27 '16 at 14:08
  • I try running commands with -Credential $MyCredential after following along with the article but it returns the syntax instead of executing the command? – Conner X May 27 '16 at 14:55
  • It turns out that the problem was that I was trying to pass the credentials of a local admin. Apparently, you can only automate the passing of credentials with a domain admin unless you disable UAC which for me isn't an option. So, It looks like a brick wall this time, unless I do something hackish. – Conner X Jun 03 '16 at 15:58
  • Have you considered using the invoke-command, you will need to ensure the PSRemoting is enabled on the workstations and pipe the credentials when running the command. If you have PS Remote enabled in your domain this is an option to get it working. – JCK Jun 06 '16 at 09:27