none
Backup Credentials Vault with VB Script RRS feed

  • Question

  • We are in the process of migrating domains at the moment and have come across a tool that will "migrate" user profiles. Only issue is that the Windows Password Vault or Credential Manager loses all of the users passwords.

    I was wondering if there is a way to script a backup of the Vault? or can anyone recommend another tool or process to migrate user profiles so the end users don't loose their settings?

    Thanks in advance.

    Wednesday, December 21, 2016 6:05 AM

Answers

  • It may be that those tools won't perform exactly what you would like to do. In these cases you will need to research the technique that provides the least amount of friction for your users.


    -- Bill Stewart [Bill_Stewart]

    Friday, December 23, 2016 2:34 PM
    Moderator

All replies

  • So you have done some searching first, haven't you?

    -- Bill Stewart [Bill_Stewart]

    Wednesday, December 21, 2016 7:57 PM
    Moderator
  • Indeed I have, but have not found anything about scripting it and whether this is possible or not. I am guessing it is not possible at this stage.
    Wednesday, December 21, 2016 11:37 PM
  • Did you try the link I embedded in my previous response?

    -- Bill Stewart [Bill_Stewart]

    Thursday, December 22, 2016 4:54 AM
    Moderator
  • Sure did, am I missing something? The link takes me to a Google results page for "backup credential vault". I can't see anything relating to scripting the backup process or anything that tells me it is not possible. Perhaps my results are different to yours? Could you point me to a specific link if that was your intention.
    • Edited by J Red Thursday, December 22, 2016 6:22 AM
    Thursday, December 22, 2016 6:12 AM
  • Isn't that what you want to do? Back up a user's credential vault so you can restore it later?

    -- Bill Stewart [Bill_Stewart]

    Thursday, December 22, 2016 3:59 PM
    Moderator
  • Absolutely, but we want to script it so the users don't forget to back up their credentials before the migration.
    Thursday, December 22, 2016 11:20 PM
  • If you use MDT to migrate users it will backup the Web credentials and, I believe, the Windows credentials and certificates.  Credentials for the network cannot be moved between accounts.

    Post in MDT forum for help on migrating users.


    \_(ツ)_/

    Friday, December 23, 2016 12:10 AM
  • If you use MDT to migrate users it will backup the Web credentials and, I believe, the Windows credentials and certificates.  Credentials for the network cannot be moved between accounts.

    Post in MDT forum for help on migrating users.


    \_(ツ)_/

    Are you talking about the User State Migration Tool (USMT)? I have used this in the past but I can't remember if it does or not. I wasn't thinking of using it in this case as we are not upgrading OS or replacing hardware. I'll have a look into it and see if we can use it in this case.

    I'm also looking into the Active Directory Migration Tool (ADMT) to see if that will fill our needs.

    Thanks.


    • Edited by J Red Friday, December 23, 2016 1:01 AM
    Friday, December 23, 2016 1:00 AM
  • It may be that those tools won't perform exactly what you would like to do. In these cases you will need to research the technique that provides the least amount of friction for your users.


    -- Bill Stewart [Bill_Stewart]

    Friday, December 23, 2016 2:34 PM
    Moderator
  • You cannot move passwords between accounts.  That is why there is no automated backup method.  The user can choose to backup the credentials rom the GUI but they will not work on another system.  It is a local only backup.


    \_(ツ)_/

    Friday, December 23, 2016 7:59 PM
  • This sounds correct, if in fact the credentials are encrypted with DPAPI and thus would be tied to a particular account. A different account would not be able to decrypt the credentials in that case, so the burden would be on the user to back up and restore their own credentials.

    -- Bill Stewart [Bill_Stewart]

    Friday, December 23, 2016 11:34 PM
    Moderator
  • MDT and other tools can export the information minus the password.  The data can be reloaded into any account but the user must re-enter all passwords. There is no way to script this.

    If you are just moving users between OS versions then it is far easier to rom the user profile and let Windows rebuild it on the new OS.  If the account is the same domain account then the passwords will be retained.

    There are many third party tools that claim to be able to do this.  I have found that most have deficiencies that cause them to fail often.

    It is possible to create a script to extract the plain text passwords when run under the user account.  This is dangerous as it will expose all passwords if extreme care is not taken to guard all of the files.  Reloading can be done by a script run under the user account.  It is not recommended.  It is safer to have the users re-enter their passwords.

    Here is an example script: https://1drv.ms/u/s!AjiiPtIUqzK_gYUUm829bNnSJaKj5Q


    \_(ツ)_/



    • Edited by jrv Friday, December 23, 2016 11:47 PM
    Friday, December 23, 2016 11:43 PM
  • MDT and other tools can export the information minus the password.  The data can be reloaded into any account but the user must re-enter all passwords. There is no way to script this.

    This doesn't surprise me, if my assumption that the encryption is performed by DPAPI is correct, in which case only the specific user would be able to decrypt. So as part of the migration process, the user would need to keep track of their own passwords and enter them again after the migration is complete.


    -- Bill Stewart [Bill_Stewart]


    Saturday, December 24, 2016 3:42 PM
    Moderator