Multiple passwords with DSC

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of robert johansson robert johansson 1 month, 2 weeks ago.

  • Author
    Posts
  • #61738
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    Hello,

    I am creating a DSC to restore custom Windows Services for our environment. Each service uses a different domain account to start the service. How can I store the account information without having to type in the passwords each time I re-create the mof file? I am using a psd1 for the data of each service except the credential field.

    Thanks for your help in advance.

    Chris

  • #61963
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Storing passwords in MOFs is a little complicated, and requires you to have digital certificates (which must have a specific use-case flag in them). The certificate (with private key) must be deployed to the target node, and a copy of the certificate (without the private key) must be on whatever machine you're using to generate MOFs. We cover this in "The DSC Book," and you can also look at https://msdn.microsoft.com/en-us/powershell/dsc/securemof.

    This would still normally require you to type the passwords when you physically create the MOF. There isn't, at present, a way around that, short of storing your passwords in clear text (which is obviously not a bright idea). You could probably get around in by perhaps storing this information in a secured, encrypted SQL Server database (for example), which you'd query during MOF creation to create PSCredential objects. I've never tried that.

  • #62347
    Profile photo of Chris Liquori
    Chris Liquori
    Participant

    Hey Don,

    Thanks for the response. A secured database is a good idea, and going to purchase the DSC book for reference on secured MOFs.

    Thanks again.

    Chris

  • #63636
    Profile photo of robert johansson
    robert johansson
    Participant

    Poor man's credential store:
    PoShKeePass

    PoShKeePass is a PowerShell module that combines the ease of the PowerShell cli and the extensibility of the KeePassLib API to provide a powerful and easy to use management and automating platform for KeePass databases.

    https://github.com/PSKeePass/PoShKeePass

You must be logged in to reply to this topic.