Author Posts

January 11, 2017 at 7:14 pm

Hello,

I am creating a DSC to restore custom Windows Services for our environment. Each service uses a different domain account to start the service. How can I store the account information without having to type in the passwords each time I re-create the mof file? I am using a psd1 for the data of each service except the credential field.

Thanks for your help in advance.

Chris

January 14, 2017 at 7:10 pm

Storing passwords in MOFs is a little complicated, and requires you to have digital certificates (which must have a specific use-case flag in them). The certificate (with private key) must be deployed to the target node, and a copy of the certificate (without the private key) must be on whatever machine you're using to generate MOFs. We cover this in "The DSC Book," and you can also look at https://msdn.microsoft.com/en-us/powershell/dsc/securemof.

This would still normally require you to type the passwords when you physically create the MOF. There isn't, at present, a way around that, short of storing your passwords in clear text (which is obviously not a bright idea). You could probably get around in by perhaps storing this information in a secured, encrypted SQL Server database (for example), which you'd query during MOF creation to create PSCredential objects. I've never tried that.

January 21, 2017 at 2:03 pm

Hey Don,

Thanks for the response. A secured database is a good idea, and going to purchase the DSC book for reference on secured MOFs.

Thanks again.

Chris

February 6, 2017 at 5:10 pm

Poor man's credential store:
PoShKeePass

PoShKeePass is a PowerShell module that combines the ease of the PowerShell cli and the extensibility of the KeePassLib API to provide a powerful and easy to use management and automating platform for KeePass databases.

https://github.com/PSKeePass/PoShKeePass