none
Cryptography - Encrypting a Domain Service Account Password RRS feed

  • Question

  • I have a script I created to automate adding computers to the domain.

    In our company, Users are not given rights to add computers to the domain.

    First I tested the script with plain text credentials.  Worked fine.

    Then I encrypted the password with AES256, and replaced the password in the script with AES.key and Password.txt.  Worked fine.

    Since the password can be easily decrypted, I next tried to move the files to a NTFS share and lock them down.  The problem I ran into here I believe, is that my variables are being called before the user is prompted for credentials for the share.

            $Serial = (gwmi -Class win32_bios).SerialNumber
            $CNamePrefix = "Prefix-"
            $CNameSuffix = $Serial.SubString($Serial.length -7)
            $Pass = Get-Content "\\server\share\Password.txt"
            $Key = Get-Content "\\server\share\AES.key"
            $User = "Domain\DomJoinSA"
            $Credentials = New-Object -TypeName System.Management.Automation.PsCredential ` -ArgumentList $User, ($Pass | ConvertTo-SecureString -key $key)
        
            # Join Domain and Rename Computer based on varribles above.
            Add-Computer -DomainName “Domain.com” -Credential $credentials
            Rename-Computer -NewName ($CNamePrefix+$CnameSuffix) -DomainCredential $credentials -Force
    
            Restart-Computer

    I see a bunch of PS errors fly by about AES.key and Password.txt not being found, but then also get prompted for credentials two times, I'm assuming that's probably to change the computer name and domain since the credentials were not properly supplied.

    Do I need to supply this path differently so that the user is prompted once? (Authenticated Users have rights to the share).


    There's no place like 127.0.0.1

    Wednesday, February 3, 2016 11:37 PM

Answers

  • I got it figured out.

    What I ended up doing as using New-PSDrive to map Z:, then reordered my steps a bit.

    -Matt

            $DomCred = Get-Credential -Cred "DOMAIN\"
            New-PSDrive -Name Z –root \\SERVER\SHARE -scope Global -PSProv FileSystem -Cred $DomCred    
            $Serial = (gwmi -Class win32_bios).SerialNumber
            $CNamePrefix = "Prefix-"
            $CNameSuffix = $Serial.SubString($Serial.length -7)
            $Pass = Get-Content "Z:\Password.txt"
            $Key = Get-Content "Z:\AES.key"
            $User = "Domain\DomJoinSA"
            $Credentials = New-Object -TypeName System.Management.Automation.PsCredential ` -ArgumentList $User, ($Pass | ConvertTo-SecureString -key $key)
        
            # Join Domain and Rename Computer based on varribles above.
            Add-Computer -DomainName “Domain.com” -Credential $credentials
            Rename-Computer -NewName ($CNamePrefix+$CnameSuffix) -DomainCredential $credentials -Force
            Restart-Computer


    There's no place like 127.0.0.1

    • Marked as answer by Matt5150 Monday, February 8, 2016 10:23 PM
    Monday, February 8, 2016 10:23 PM

All replies

  • Read the following:

    Add workstations to domain

    Description

    This security setting determines which groups or users can add workstations to a domain.

    This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

    Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.

    Default: Authenticated Users on domain controllers.

    https://technet.microsoft.com/en-us/library/cc780195%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    \_(ツ)_/

    Thursday, February 4, 2016 12:35 AM
  • "By default..."

    I guess I should have said, in my company users are DENIED the right to add computers to the domain.


    There's no place like 127.0.0.1

    Thursday, February 4, 2016 6:00 AM
  • "By default..."

    I guess I should have said, in my company users are DENIED the right to add computers to the domain.


    There's no place like 127.0.0.1

    I have heard that many time and it has never turned out to be true.  Most Admins do not know how to block that.

    Usually what happens is the user is not a local admin. Only local admins can join a machine.  The way we do this is to give user who are joining a machine access to the local admin account until the machine is joined.  How this is done depends on why the user is joining a machine.  \If  machine is new and being provisioned from the network then it is set up so that the user is logged in as Admin (local) and they join the machine.  The image setup then resets the Admin password and restarts.  The machine is joined and the user never has to be a Domain Admin.

    if you post in the deployment forum they can teach you how to do these things and other great tricks for safe deployment and management of user workstations.

    Never distribute an domain admin password via any media in any encrypted form.  There are web bots that scan for this constantly.


    \_(ツ)_/


    • Edited by jrv Thursday, February 4, 2016 6:27 AM
    Thursday, February 4, 2016 6:26 AM
  • It is denied via User Rights Assignment.

    It is not a Domain Admin Password.  Its a Domain Service Account that only has rights to add computers to the domain.

    It will not be distributed.  It will be onboard an image deployed to specific laptops, and self-delete and the completion of the script.

    I have a specific reason this needs to be done this way for a one-off Disaster Recover project.

    -Matt


    There's no place like 127.0.0.1

    Thursday, February 4, 2016 7:07 AM
  • So what is the problem?  You seem to have covered all bases. Ask a specific question.  Ask a well targeted question.  You questions is vague and has many references.

    Let's try with this clear script to see if it succeeds.

    $Pass = Get-Content \\server\share\Password.txt
    $Key = Get-Content \\server\share\AES.key
    $User = 'Domain\DomJoinSA'
    $psw=$Pass | ConvertTo-SecureString -key $key
    $Credentials = New-Object System.Management.Automation.PsCredential($User, $psw)
    Add-Computer -DomainName Domain.com -Credential $credentials
    Restart-Computer


    \_(ツ)_/


    • Edited by jrv Thursday, February 4, 2016 7:17 AM
    Thursday, February 4, 2016 7:17 AM
  • I got it figured out.

    What I ended up doing as using New-PSDrive to map Z:, then reordered my steps a bit.

    -Matt

            $DomCred = Get-Credential -Cred "DOMAIN\"
            New-PSDrive -Name Z –root \\SERVER\SHARE -scope Global -PSProv FileSystem -Cred $DomCred    
            $Serial = (gwmi -Class win32_bios).SerialNumber
            $CNamePrefix = "Prefix-"
            $CNameSuffix = $Serial.SubString($Serial.length -7)
            $Pass = Get-Content "Z:\Password.txt"
            $Key = Get-Content "Z:\AES.key"
            $User = "Domain\DomJoinSA"
            $Credentials = New-Object -TypeName System.Management.Automation.PsCredential ` -ArgumentList $User, ($Pass | ConvertTo-SecureString -key $key)
        
            # Join Domain and Rename Computer based on varribles above.
            Add-Computer -DomainName “Domain.com” -Credential $credentials
            Rename-Computer -NewName ($CNamePrefix+$CnameSuffix) -DomainCredential $credentials -Force
            Restart-Computer


    There's no place like 127.0.0.1

    • Marked as answer by Matt5150 Monday, February 8, 2016 10:23 PM
    Monday, February 8, 2016 10:23 PM