0

I am creating a PowerShell script that a user can just run to edit an entry in registry. My problem is that I cannot figure out how to store local admin username and password in the same script so that the user can just double click the script and run it without having to enter username and password manually.

Here is my code:

$username = "testpc\administrator"

$pasword = get-content C:\Users\test1\documents\testpassword.txt

$credential = new-object -typename system.management.automation.pscredential -argumentlist $username, $password

This does not work at all. Please let me know what I am doing wrong here.

THE COMPTGUY
  • 33
  • 5
  • Are you trying to keep the credentials secure? if so then going this way will not work. Are you ok with the user seeing the username and password? – ArcSet Aug 19 '19 at 21:00
  • Double-clicking to run a script is not recommended for security reasons: [Is there a way to make a PowerShell script work by double clicking a .ps1 file?](https://stackoverflow.com/questions/10137146/is-there-a-way-to-make-a-powershell-script-work-by-double-clicking-a-ps1-file) – techguy1029 Aug 19 '19 at 21:03
  • No, the credentials don't have to be secured since this is for testing only. – THE COMPTGUY Aug 20 '19 at 12:46

2 Answers2

2

Usually I'd ask for an error, but in this case I'll advise different, just because your approach isn't acceptable.

  1. Don't store passwords unencrpted in script. Never.
  2. Don't store passwords encrypted in scripts, which are meant to be read by someone else, especially not a user with less privileges. Never!
  3. Go, figure other ways to solve your problem. Always!

In this case I see two solutions with the given information:

  1. change the ACL for the registry key that need to be changed by the user
  2. Create a scheduled task which runs as SYSTEM. Make sure the user cannot edit the script.
vrdse
  • 2,899
  • 10
  • 20
0

Actually @vrdse is right. you can create the script with the KEY as parameter and:

  1. create a scheduled job with the credentials of your user and add the script as task.

  2. give the user the right to execute the job but NOT to edit or to delete

  3. give a shortcut to the scheduled job (or a runner script) to the user and make a how-to document to show him,/her how the parameter should be used.

I use clear text passwords as temporary testing stuff to make sure users CANNOT use my script (so it is exactly the opposite of your action).

You can capture credential during execution:

$cred = get-gredential -message 'This script needs a real admin user'
Enter-PSSession -Credential $cred -ComputerName 127.0.0.127

You can build a credential (do not store privileged user data):

$user = 'SuchAGreatDomainName\IAmLowPrivilegedUserName'
$Password = 'SuperSecretPassEverybodyKnows'
$secpassword = ConvertTo-SecureString $Password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($user, $secpassword)
Invoke-RestMethod -Uri $Uri -Credential $Credential
TudorIftimie
  • 1,050
  • 11
  • 21