Author Posts

September 5, 2018 at 1:02 pm

Hi

I want to create a script that will allow terminal users (Citrix XenApp) that will allow a normal user to close opened IE on multiple terminal servers. I created a script that is doing just that, but the problem is, it works only on the user which generated the security string. So i changed the security token to the password in plain text but the code stoped to work. Is showing all process but is now getting the user session ID. Do you have any suggestions? Here is the code:


$Username = "usernamewithadminrights"

$Password = 'password' | ConvertTo-SecureString -AsPlainText -Force

$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `

-ArgumentList $Username,$Password

$Servers = 'servername'

Invoke-Command -ComputerName $Servers -ScriptBlock {

$SID = (Get-Process -IncludeUserName |  Where-Object { $_.UserName -contains 'username'} | Sort-Object SessionId -Unique).SessionId

get-process *iexplo* | where {$_.SI -like $SID} | Stop-Process

} -ArgumentList $User -Credential $MyCredential

September 5, 2018 at 3:04 pm

If it worked the first time,

you can use a keyfile to store you pass with encryption so it isn't readable from the PS file

I use this methode to create that file


$KeyFile = 'C:\Scripts\SystonyAES.key'
$Key = New-Object -TypeName Byte[] -ArgumentList 32   # You can use 16, 24, or 32 for SystonyAES
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
$Key | out-file -FilePath $KeyFile

$SystonyPasswordFile = 'C:\Scripts\SystonyPassword.txt'
$KeyFile = 'C:\Scripts\SystonyAES.key'
$Key = Get-Content -Path $KeyFile
$SystonyPassword = 'password' | ConvertTo-SecureString -AsPlainText -Force
$SystonyPassword | ConvertFrom-SecureString -key $Key | Out-File -FilePath $SystonyPasswordFile

$User = 'username'
$SystonyPasswordFile = 'C:\Scripts\SystonyPassword.txt'
$KeyFile = 'C:\Scripts\SystonyAES.key'
$key = Get-Content -Path $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential `
-ArgumentList $User, (Get-Content -Path $SystonyPasswordFile | ConvertTo-SecureString -Key $key)

 

and see if this works

September 5, 2018 at 4:04 pm

It's very bad risk management practice to embed plain text passwords in script files. You should always prompt for them. You can then store them in a secure file or windows credential manager or PS JEA to do this more securely.

As for ...

 I created a script that is doing just that, but the problem is, it works only on the user which generated the security string

This is by design. Any script or  cannot natively get the currently logged on user full credentials and run with that, imagine the security risk to that. They user must specifically supply those.

Resources:

http://powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk

Working with Passwords, Secure Strings and Credentials in Windows PowerShell
https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

https://www.powershellgallery.com/packages/CredentialManager/1.0

PowerShell Credentials Manager
CredMan.ps1 is a PowerShell script that provides access to the Win32 Credential Manager API used for management of stored credentials.
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde

Using saved credentials securely in PowerShell scripts

How to secure your passwords with PowerShell

https://blogs.technet.microsoft.com/ashleymcglone/2016/11/30/how-to-run-a-powershell-script-against-multiple-active-directory-domains-with-different-credentials