-1

I have used the Start-Transcript command in my PowerShell profile. This is very useful for me to review the console output of my scripts at a later point in time when required. However, at times I also directly run some commands that include a ClearText password like the Set-ADAccountPassword cmdlet. Now, these passwords also get captured in the Transcript log file which poses a security risk.

So, is there a way PowerShell can recognize these password related commands and hide them with *'s in the Transcript log file.

I do not see any parameter in the Start-Transcript that would enable this behavior. Is there a workaround?

EDIT: The command used (with ClearText password) is like the below,

Set-ADAccountPassword -Identity 'CN=Elisa Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force)
Karthick Ganesan
  • 375
  • 4
  • 11
  • Please add an example of how you use a **ClearText password** in that question as [`Set-ADAccountPassword `](https://learn.microsoft.com/en-us/powershell/module/addsadministration/set-adaccountpassword) only accepts **`[SecureString]`** types for a password... – iRon Jun 27 '20 at 12:14
  • See also: [Hide not the output but the actual command containing sensitive info in devops logs](https://stackoverflow.com/a/70068361/1701026) – iRon Feb 24 '22 at 10:26

1 Answers1

1

All passwords accepted by the Set-ADAccountPassword cmdlet are encrypted (SecureString) passwords:

Set-ADAccountPassword
   [-WhatIf]
   [-Confirm]
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Identity] <ADAccount>
   [-NewPassword <SecureString>]
   [-OldPassword <SecureString>]
   [-Partition <String>]
   [-PassThru]
   [-Reset]
   [-Server <String>]
   [<CommonParameters>]

Nevertheless, if you come across a cmdlet (or an external command) that accepts plain text passwords, that would be your security weakness to be resolved as that is not just captured by Start-Transcript but also sent to the host console and displayed.

Saying that, you should not hardcode passwords in your scripts as in the example of Set-ADAccountPassword :

Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "qwert@12345" -Force)

Instead, use the encrypted string as input for the ConvertTo-SecureString.
To create the secure string, use the follwing sommand: (don't hardcode this in your scripts either):

Read-Host -Prompt "Enter password" -AsSecureString | ConvertFrom-SecureString

Results:

12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d

And use the results in the concerned script (without the -AsPlainText switch), e.g.:

$OldPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
$NewPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString $OldPassword) -NewPassword (ConvertTo-SecureString $NewPassword)

note 1: The encrypted string is only supposed to work under the account where it is created.

note 2: quote from the SecureString Class:

We don't recommend that you use the SecureString class for new development. For more information, see SecureString shouldn't be used on GitHub.

iRon
  • 20,463
  • 10
  • 53
  • 79
  • Thank you iRon, this is helpful. At times, I'm having to reset passwords in bulk. I usually generate some *random passwords* in a column in excel, use the `Set-ADAccountPassword` command as I stated in my question in a new column and then copy-paste the bunch of these commands from Excel to the PS console to reset the passwords. I then send out the credential note to the end-user and dispose the excel sheet used or replace the passwords with `*`s. The solution you provided ensures better security! I will implement this going forward. – Karthick Ganesan Jun 27 '20 at 12:51