Automate encrypting Password and changing it every month

This topic contains 2 replies, has 3 voices, and was last updated by  Kiran P 4 months, 1 week ago.

  • Author
    Posts
  • #72728

    Amar Helloween
    Participant

    Hi,

    Is there any way to encrypt the password and change it after regular interval like 1 month without manual effort i.e. some sort of automation. The point is I don't want to keep the password or pass it anywhere, either in a text file or inside the script. I have tried import-clixml, export-clixml and ps credential but it requires to give the password field.

    It would be great if anyone can suggest/share the best password management tip.

  • #72740

    Sam Boutros
    Participant

    You can use the Get-SBCredential cmdlet of the SB-Tools module.
    On a machine with PS5 try:

    Install-Module SB-Tools -Force 
    Import-Module SB-Tools -DisableNameChecking
    help Get-SBCredential -Show
    

    So, in your script that needs credentials, you do something like:

    $Cred = Get-SBCredential -UserName 'domain\name'
    

    The first time it runs it will ask you for the password. In future times, it will read it from the encrypted file on disk. You can use that credential object throught the script like:

    Get-ADUser -Identify sam1 -Credential $Cred
    

    You will have to have a calendar reminder to reset the pwd monthly, or use some other automation. To update the saved credential object use the -refresh switch of the Get-SBCredential cmdlet

  • #72845

    Kiran P
    Participant

    Hi Amar,

    Hope the script below will help you...
    Note: the password in the script below, which is converting to/from can only be done on the same machine, it will not work if you copy the file to any other machine or any other user.

    function Schedule-PasswordChange {
        Param (
            [Parameter(Mandatory=$true)]
            [String]$Username
        );
        # Declare local variables
        $PwdFileLocation        = (New-Item -Path $env:LOCALAPPDATA -Name Include -ItemType Directory -Force).FullName;
        $GeneratePwdFileName    = 'New-SWRandomPassword.ps1';
        $GeneratePwdFile        = "$PwdFileLocation\$GeneratePwdFileName";
        $PasswordFileName       = 'password';    # Extension may not required
        $PasswordFile           = "$PwdFileLocation\$PasswordFileName";
        $OldPassword            = '';
        $NewPassword            = '';
    
        # Downloading the random password generator function if not available from Microsoft script center (Url: https://gallery.technet.microsoft.com/scriptcenter/Generate-a-random-and-5c879ed5)
        if (-not (Test-Path -Path $GeneratePwdFile)) {
            $Uri                        = 'https://gallery.technet.microsoft.com/scriptcenter/Generate-a-random-and-5c879ed5/file/95167/4/New-SWRandomPassword.ps1';
            $web                        = New-Object System.Net.WebClient;
            #$web.UseDefaultCredentials  = $true;             # *This may not required in your environment,
            #$web.Proxy.Credentials      = $web.Credentials;  #  unless there is a proxy client in your environment 
            $web.DownloadString($Uri) | Out-File -FilePath $GeneratePwdFile -Force;
        };
    
        # Dot source the function from the (downloaded) script 'New-SWRandomPassword.ps1'
        . $GeneratePwdFile;          # for New-SWRandomPassword function
    
        # Generate a the new password
        $NewPassword    = New-SWRandomPassword -MinPasswordLength 12;
    
        #Get the old password from the file; if not, updated it for the first time
        if (Test-Path -Path $PasswordFile) {
            $OldPassword = Get-Content -Path $PasswordFile | ConvertTo-SecureString;
        } else {
            Write-Verbose 'Please set the password below for the first time...';
            Write-Verbose "Password: $NewPassword";
            [System.environment]::NewLine;
            $Yes    = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes","";
            $No     = New-Object System.Management.Automation.Host.ChoiceDescription "&No","";
            $Choices= [System.Management.Automation.Host.ChoiceDescription[]]($Yes,$No);
            $Caption= 'Password Change';
            $Message= 'Did you update the password for the first time?';
            $Choice = $Host.UI.PromptForChoice($Caption,$Message,$Choices,0);
            if ($Choice -eq 0) {
                $NewPassword | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File -FilePath $PasswordFile -Force;
                Write-Verbose 'Password updated successfully!';
            };
            Break;
        }
    
        # Convert new password from plain test to secure string
        $NewPassword = $NewPassword | ConvertTo-SecureString -AsPlainText -Force
    
        # Update password. (Write your own piece of code here)
        # Set-ADAccountPassword -Identity $Username -OldPassword $OldPassword -NewPassword $NewPassword
        Write-Verbose "Password updated successfully!"
    }
    
    Schedule-PasswordChange -Username 'Domain\Username' -Verbose
    

You must be logged in to reply to this topic.