Pass credentials with AD cmdlets?

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of Jason Beckett Jason Beckett 1 year, 2 months ago.

  • Author
    Posts
  • #31336
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    I have a script that connects to exchange online ps, exchange on-prem ps and AD. I store the credentials for exchange online and exchange on-prem via password encrypted in an xml file.

    What I would like to be able to do is connect to AD in a similar fashion (i.e. import-pssesson $exchonprem) in the script rather than relying on the credentials the scheduled task is running as.

    Any input on how I might accomplish this would be appreciated.
    Here's a sample of my script:

  • #31339
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    most, if not all, AD cmdlets support the -credential parameter, you would just load your credential in a variable and then pass it to the cmdlet.

  • #31341
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    Thank you Curtis. Is it necessary to then specify the credential parameter each time I call an AD cmdlet? I was hoping to do it similar to my exchange ps sessions where I only have to send the credentials once.

  • #31343
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    Another option is to use the $PSDefaultParameterValues automatic variable to force every *-AD* cmdlet to use credentials where the credential parameter is available.

    $creds = Get-Credential
    $PSDefaultParameterValues = @{"*-AD*:Credential"=$creds}

    You could stick that into the beginning of your scripts, or in your powershell profile if you like. This will ensure that every AD cmdlet is run with the correct credentials.

  • #31344
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    That's a brilliant solution. Thank you Peter.

  • #31345
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    You can absolutely use a technique called Implicit Remoting to connect to your domain controller by PSSession with alternate credentials and import your cmdlets. Something like that would be:

    $cred = Get-Credential "domain\username"
    $DC = New-PSSession -ComputerName DC01 -Credential $creds
    #Invoke-Command here in case the DC is running earlier than PSv3
    Invoke-Command -Session $DC -ScriptBlock {Import-Module ActiveDirectory}
    Import-PSSession $DC -Module ActiveDirectory

    This will import the AD cmdlets into your current session. The only caveat with implicit remoting is that your commands and data returned are serialized and deserialized when they are sent/retrieved, which causes issues with usability of the commands. For instance:

    Get-ADGroup 'Group' | Get-ADGroupMember

    This works fine with locally installed RSAT and AD cmdlets, however you will get an error if you try to run this with cmdlets that were imported through implicit remoting. To work around this, you will have to use a lot of ForEach-Object:

    Get-ADGroup 'Group' | ForEach{Get-ADGroupMember -Identity $_.distinguishedname}

    In some cases as well I've found that this can cause odd issues where not "every" item is processed in the foreach loop. I've not encountered this for a while personally so I can't say for sure but previously when I was using implicit remoting over installing RSAT I certainly encountered this issue numerous times.

  • #31350
    Profile photo of Jason Beckett
    Jason Beckett
    Participant

    Thanks for the suggestion. I'm familiar with the implicit remoting but option but for precisely the reasons you listed I was looking for an alternative.

    I think your suggestion to use PSDefaultParameterValues is the ticket for me 🙂

You must be logged in to reply to this topic.