3

So I was wondering if this is possible. I am somewhat new to Powershell scripting and have pretty much made a script for every process in our setups and am looking to put them together to make them more automated. Right now I am looking to see if it would be possible to automatically sign in with a provided password (would use securestring and not a stored password) to a domain user account that was different than what was last signed in. If this is possible could you point me in the right direction, then I understand. Thanks!

JuggeroniPizza
  • 33
  • 1
  • 5
  • 1
    Powershell Remoting (`help about_remoting`) or a real login? – T-Me Dec 27 '19 at 14:58
  • The scripts would be running on the local machines so I am believing the real login. Windows 10 machines – JuggeroniPizza Dec 27 '19 at 15:06
  • I think that is way harder to achieve (and maybe not even necessary) Place the script you want to execute in an easy to reach place (eg. c:\temp) And open a PSSession or Invoke it from there over powershell remoting. (the help should explain both). It all depends on what you want to do though... Just executing more (powershell-)scripts or stuff in the GUI? – T-Me Dec 27 '19 at 15:40

1 Answers1

5

Check out this script from the Technet Gallery, Set-AutoLogon.ps1. Before you initiate the reboot, you'll want to set the login information for the user who should be logged into the workstation on the next boot. Do note that this will store your username and password in plaintext within the registry. This is not a shortcoming of the script, but is just how the functionality works within Windows.

The script works by setting three registry key properties to specific values (4 technically, but in your case you probably don't want to change the default number of logins from 1):

If you were doing this manually without Set-AutoLogon.ps1, under HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, set (or create if missing) the following properties:

  • AutoAdminLogon: 1 (String)
  • DefaultUsername: targetUserName (String)
  • DefaultPassword: targetPassword (String)
  • AutoLogonCount: 1 (DWORD)

Like I said, note that the password is stored there in plaintext. That said, with each automatic logon (so each time the computer reboots), AutoLogonCount will decrement by 1. For example, if you set this to 5 it will count down from 5. Once this property reaches zero, AutoLogonCount and DefaultPassword are wiped from the registry and AutoAdminLogon is set back to 0.

codewario
  • 19,553
  • 20
  • 90
  • 159
  • Thanks, this should work. Changing those registry keys will be what I need then and I will be working on that. – JuggeroniPizza Dec 27 '19 at 16:13
  • 1
    If it works accept the answer by clicking the grey tick mark and up vote it by the up button, @juggerionpizza – Wasif Dec 27 '19 at 16:27
  • I can attest that at least those registry keys do what I said - I use this both on my personal game streaming server, and these are the keys VMware updates for the `x number of automatic logins` you can set in the customization spec. `Set-AutoLogon.ps1` looks correct to me but I haven't tested it myself. – codewario Dec 27 '19 at 16:52
  • This works with the password as a normal string. I am currently trying to use a securestring for the password and as one would expect the Registry doesn't like it as its expecting a string. Any idea if this will work. I am using this for other scripts so if I can keep it, I would like to. '$passwd = Read-Host "Enter Administrator password" -AsSecureString '$encpwd = ConvertFrom-SecureString $passwd '$encpwd > password.bin '$encpwd = Get-Content password.bin '$passwd = ConvertTo-SecureString $encpwd '$cred = new-object System.Management.Automation.PSCredential 'Admin',$passwd' – JuggeroniPizza Dec 30 '19 at 15:47
  • A `SecureString` won't work in this context. It's just how the feature works. I'd love to be proven wrong though. However, the risk is minimal if you are just setting the next boot credential followed by an immediate reboot, as on the next boot the credential will be wiped from the registry. – codewario Dec 30 '19 at 15:49
  • That is what I figured. Thanks! – JuggeroniPizza Dec 30 '19 at 15:50
  • @BendertheGreatest I found this and am testing it now. It is showing plain text passwords in that and I am going to see if it will work with my script when I get another computer to setup which will be in about an hour. [link](https://stackoverflow.com/questions/15007104/how-can-i-use-powershells-read-host-function-to-accept-a-password-for-an-extern) – JuggeroniPizza Dec 30 '19 at 15:55
  • That is just showing how to read input from the keyboard as a secure string, and convert it to a plaintext string. You still have to store it plaintext in the registry for the automatic login to occur on the next *`x`* number of boots. – codewario Dec 30 '19 at 15:57
  • I've never tested it but it would be interesting to see if a `SecureString` created by the `SYSTEM` user, converted to an actual encrypted string (with `ConvertFrom-SecureString`) and used as the `targetPassword` would work if the default DPAPI behavior is relied on. – codewario Dec 30 '19 at 16:02