Vincent van Unen

We Find a Way Otherwise We Make One

Powershell PS-Scripts

PS: Encryped Passwords in Register

Doorvincent

jan 28, 2021

Saving Credentials in Register

Er worden regelmatig scripts gemaakt waar een stuk Authenticatie in moet om dat er verbonden moet worden met online of onprem mail servers omdat ik niet wil dat de gebruikersnamen en wachtwoorden zichtbaar in het script staan heb ik gekozen om een stuk script van iemand anders te bewerken voor mijn doeleinden.

Met dit script kan je encryped accounts opslaan in het register wat later in een script opgeroepen kan worden.

Lees meer voor het PS Script

 

param (
[parameter(Mandatory=$true)][ValidateSet("Personal","Service")][string]$AccountType,
[ValidateSet("OnPrem","O365","SE","SMTP","ScheduledTasks","TopDesk")][string]$CredType,
[parameter(Mandatory=$true)][ValidateSet("Read","New","Edit")][string]$Action,
[switch]$NoChecking
)
switch ($AccountType){ ## Automatic registry store input, selecting correct registry path
Service {$RegPath = "HKLM:\Software\SC\ServiceCredentials"}
Personal {$RegPath = "HKCU:\Software\SC\ExchangeBeheer"}
} #end switch
Add-Type -AssemblyName System.Security
## LAPS module (Local Administrator Password Solution)
if (!(Get-Module -Name "AdmPwd.PS" -ListAvailable)){
write-host "The AdmPwd.PS module is not yet installed, installing..." -f yellow
Install-Module -Name "AdmPwd.PS" -AllowClobber -Force
} #end if
Write-Host "Loading the AdmPwd.PS Module..." -f Green
Import-Module AdmPwd.PS -global

Write-host -ForegroundColor yellow "Creating Regkey folders"

if ($AccountType -like "Service"){
New-item "HKLM:\Software" -name SC
New-item "HKLM:\Software\SC" -name ServiceCredentials
}
if ($AccountType -like "Personal"){
New-item "HKCU:\Software" -Name SC
New-item "HKCU:\Software\SC" -Name ExchangeBeheer
}


if ((!$CredType) -and !($Action -eq "New")){ ## Set the credential type
write-host "For which service are the credentials?" -f yellow
write-host "1) On Premise credentials (OnPrem)" -f green
write-host "2) Office 365 credentials (O365)" -f green
write-host "3) SC SE credentials (SE)" -f green
write-host "4) Service account Scheduled Tasks" -f green
write-host "5) Service account SMTP" -f green
write-host "6) Service account TopDesk" -f green
write-host "Please provide your choice: " -f yellow -n; $choice = read-host
switch ($choice){
1 {$CredType = "OnPrem"}
2 {$CredType = "O365"}
3 {$CredType = "SE"}
4 {$CredType = "ScheduledTasks"}
5 {$CredType = "SMTP"}
6 {$CredType = "TopDesk"}
} #end switch
} #end if

switch ($Action){
Read { #Read credentials from the registry
switch ($AccountType){
Personal {
$ReadCredUserName = (Get-ItemProperty -Path $RegPath -Name ($CredType + "User")).($CredType + "User")
$ReadCredPassword = (Get-ItemProperty -Path $RegPath -Name ($CredType + "Password")).($CredType + "Password")| ConvertTo-SecureString
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ReadCredUserName, $ReadCredPassword
} #end personal
Service {
$UserFromRegistry = (Get-ItemProperty -Path $RegPath -Name ($CredType + "_USR")).($CredType + "_USR")
$EncryptedPW = (Get-ItemProperty -Path $RegPath -Name ($CredType + "_PW")).($CredType + "_PW")
$SecureStr = [System.Convert]::FromBase64String($EncryptedPW)
$StringBytes = [Security.Cryptography.ProtectedData]::Unprotect($SecureStr, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$DecryptedPW = [System.Text.Encoding]::Unicode.GetString($StringBytes)
$Credentials = New-Object PSCredential -ArgumentList ([pscustomobject] @{UserName = $UserFromRegistry; Password = (ConvertTo-SecureString -AsPlainText -Force -String $DecryptedPW)[0]})
} #end service
} #end switch

if ($NoChecking){return $Credentials}
else { # Check the validity of the credentials
[String]$Domain = $Credentials.GetNetworkCredential().Domain
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") | Out-Null
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $Domain)
$CheckResult = Write-Output -InputObject $($principalContext.ValidateCredentials($Credentials.UserName, ($Credentials.GetNetworkCredential().Password)))
if ($CheckResult -eq $true){return $Credentials}
else {write-host "Credentials are not correct" -f red; SubCredEdit $RegPath $CredType $AccountType} #end else
} #end else
} #end Read action
New { #Write credentials to the registry
write-host "Please provide a short name for the credentials: " -f green -n; $CredentialName = Read-Host
## Request the credentials
$Credential = Get-Credential -Message "Enter your credentials to be stored under the name $CredentialName in the registry"
write-host "Storing credentials in the registry..." -f cyan
switch ($AccountType){
Personal { #Store the password in the registry encrypted with the user key
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "User") -Value $Credential.Username -ea stop | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "Password") -Value ($Credential.Password | ConvertFrom-SecureString) | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "InitialDate") -Value (Get-Date -Format g) | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "EditDate") -Value (Get-Date -Format g) | out-null
} #end personal
Service { #Store the password in the registry encrypted with the machine key
$GetPasswd = $Credential.GetNetworkCredential().password | ConvertTo-SecureString -AsPlainText -Force
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($GetPasswd)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$PasswordBytes = [System.Text.Encoding]::Unicode.GetBytes($Password)
$SecurePassword = [Security.Cryptography.ProtectedData]::Protect($PasswordBytes, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$SecurePasswordStr = [System.Convert]::ToBase64String($SecurePassword)
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_USR") -Value $Credential.Username -ea stop | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_PW") -Value $SecurePasswordStr | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_InitialDate") -Value (Get-Date -Format g) | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_EditDate") -Value (Get-Date -Format g) | out-null
} #end service
} #end switch
} #end new
Edit { #Request the new credentials
do {
$Credential = Get-Credential -Message "Enter the new credentials for $CredType management tasks"
#Check the credential validity
[String]$Domain = $Credential.GetNetworkCredential().Domain
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") | Out-Null
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $Domain)
if ($NoChecking){$NewCredentialCheck = $true}
else {
$NewCredentialCheck = Write-Output -InputObject $($principalContext.ValidateCredentials($Credential.UserName, ($Credential.GetNetworkCredential().Password)))
if ($NewCredentialCheck -eq $false){write-host "The provided credentials are wrong, please try again." -f red}
} #end else
} #end do
until ($NewCredentialCheck -eq $true)
write-host "Storing credentials in the registry..." -f cyan
switch ($AccountType){
Personal { #Store the updated password in the registry encrypted with the user key
Set-ItemProperty -Path $RegPath -Name ($CredType + "User") -Value $Credential.Username
Set-ItemProperty -Path $RegPath -Name ($CredType + "Password") -Value ($Credential.Password | ConvertFrom-SecureString)
Set-ItemProperty -Path $RegPath -Name ($CredType + "EditDate") -Value (Get-Date -Format g)
} #end personal
Service { #Store the updated password in the registry encrypted with the machine key
$GetPasswd = $Credential.GetNetworkCredential().password | ConvertTo-SecureString -AsPlainText -Force
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($GetPasswd)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$PasswordBytes = [System.Text.Encoding]::Unicode.GetBytes($Password)
$SecurePassword = [Security.Cryptography.ProtectedData]::Protect($PasswordBytes, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$SecurePasswordStr = [System.Convert]::ToBase64String($SecurePassword)
Set-ItemProperty -Path $RegPath -Name ($CredType + "_USR") -Value $Credential.Username -ea stop | out-null
Set-ItemProperty -Path $RegPath -Name ($CredType + "_PW") -Value $SecurePasswordStr | out-null
Set-ItemProperty -Path $RegPath -Name ($CredType + "_EditDate") -Value (Get-Date -Format g) | out-null
} #end service
} #end AccountType switch
} #end edit option
} #end Action switch

Gerelateerd bericht

Microsoft MS Intune (Endpoint Management) PS-Scripts

Microsoft Intune – Herstart bericht

apr 9, 2024
Powershell PS-Scripts

Powershell install / update VisualStudio Redist module

dec 15, 2023
Powershell PS-Scripts

Powershell install Printer

dec 15, 2023

You missed

Microsoft MS Intune (Endpoint Management) PS-Scripts

Microsoft Intune – Herstart bericht

2024/04/09
ICT Microsoft MS Intune (Endpoint Management)

Microsoft Intune – Microsoft Edge Favorieten

2024/03/05
Microsoft Microsoft Azure MS Intune (Endpoint Management) Overige

Microsoft Intune LAPS Configuratie

2024/01/08
Microsoft Microsoft Azure MS Intune (Endpoint Management)

Microsoft AutoPilot Device Registration App Registration

2024/01/05