none
Powershell command for using a specific set of credentials? RRS feed

  • Question

  • I am in need of a powershell command to specify what credentials will be used. I will be using this for Microsoft Orchestrator.
    Wednesday, August 17, 2016 1:40 PM

Answers

  • Hi Afred,

    Alright, let me see, do I get this right:

    Your Microsoft Orchestrator runs under a specific Service Account. This runs a script as an action. Within this single script, you need to perform actions under different accounts which access the filesystem and write files.

    Thus you need to solve two issues:

    1. A way to store and retrieve credentials in a secure manner
    2. A way to use these credentials to write the file

    I have no personal experience with the Orchestrator, so I do not know what kind of Credential manipulation it has, but other than that, you can use Encrypt-Credential from the gallery to provide some security when storing credentials. You'll need to have access to the service account's password when creating stored credentials this way.

    For 2), once you have a credentials object, you map the target path as a psdrive (New-PSDrive), using the necessary credentials (-Credentials parameter).

    However, to truly do this the safest way, your best bet is actually something new and shiny: JEA (Just Enough Administration). It needs up to date WMF Versions, but allows you to delegate the permissions of other users without having to specify foreign credentials. There is a helpful GUI toolkit that makes it easier to start with JEA.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Marked as answer by afred16 Thursday, August 18, 2016 5:14 PM
    Wednesday, August 17, 2016 3:05 PM

All replies

  • Hi,

    you've left out a bit of details necessary for helping you:

    • What will those credentials be used for?
    • Where should the decision, which credentials to use occur?
    • On what basis is that decision made?

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Wednesday, August 17, 2016 1:51 PM
  • hi afred,

    you can store credential in the variable and then use it whenever you want 

    $cred=get-credential

    best regards

    Wednesday, August 17, 2016 1:54 PM
  • Hi,

    you've left out a bit of details necessary for helping you:

    • What will those credentials be used for?
    • Where should the decision, which credentials to use occur?
    • On what basis is that decision made?

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Hey Fred, 

    Thank you for your response. In regards to your question. The credentials will be used for a service account to be able to run a command to create a file. The decision of which credentials to use varies on the place I am trying to create the file. Hope this helps. 

    Afred :) 


    Wednesday, August 17, 2016 1:58 PM
  • Hi Afred,

    Alright, let me see, do I get this right:

    Your Microsoft Orchestrator runs under a specific Service Account. This runs a script as an action. Within this single script, you need to perform actions under different accounts which access the filesystem and write files.

    Thus you need to solve two issues:

    1. A way to store and retrieve credentials in a secure manner
    2. A way to use these credentials to write the file

    I have no personal experience with the Orchestrator, so I do not know what kind of Credential manipulation it has, but other than that, you can use Encrypt-Credential from the gallery to provide some security when storing credentials. You'll need to have access to the service account's password when creating stored credentials this way.

    For 2), once you have a credentials object, you map the target path as a psdrive (New-PSDrive), using the necessary credentials (-Credentials parameter).

    However, to truly do this the safest way, your best bet is actually something new and shiny: JEA (Just Enough Administration). It needs up to date WMF Versions, but allows you to delegate the permissions of other users without having to specify foreign credentials. There is a helpful GUI toolkit that makes it easier to start with JEA.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Marked as answer by afred16 Thursday, August 18, 2016 5:14 PM
    Wednesday, August 17, 2016 3:05 PM