Author Posts

August 10, 2016 at 3:57 pm

Hello, I'm doing some work with exchange and I need to put a plaintext password in the file...

I know this inst really a best practice but i'm not sure there is a way around it.

Is there a way to pre-encrypt the password to gibberish and then just reconstruct it to plaintext pass when it is being passed?

Such as..

$password = "123413434afasfdaf;kj;3143143143"
$s.Credentials = New-Object Net.NetworkCredential('support@domain', (convert-passwordback $password)

Full code below:

Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"

$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013_SP1)
$s.Credentials = New-Object Net.NetworkCredential('support@domain', 'plaintextpass')
$s.Url = new-object Uri("")

$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)

August 10, 2016 at 4:01 pm

You'd want to encrypt the password in your file, and decrypt it when the script runs. How you do this, exactly, depends on who needs to be able to run the script. (Or in other words, who has the key that is able to decrypt the password?)

If you're the one running the script, it's very easy. Just create a PSCredential object with the Get-Credential cmdlet, then pipe it to Export-Clixml. PowerShell will automatically encrypt the password for you, and when you use Import-Clixml later to load that file up from disk, you'll have a credential object again (with the correct password.) The encryption key used for that file is part of your user profile (the Windows Data Protection API, if you're curious and want to read up on how that all works.) That means that other users won't be able to decrypt the password, nor will you be able to decrypt it on another computer in most cases.

If you need to share the password with other users, the best approach is to use certificates. Each user can have their own cert (which contains a private key), and you can encrypt your password using multiple certificates so that each authorized user is able to read it. PowerShell v5 added some new commands to help with this: Protect-CmsMessage and Unprotect-CmsMessage. If you need to use older version of PowerShell instead, I've got a module called ProtectedData which works much the same way (with Protect-Data and Unprotect-Data commands, uses certificates.)

I gave a presentation on this topic at the PowerShell summit a year or so ago:

August 10, 2016 at 4:51 pm

Before I research this, I should have said this script will run under my user as a scheduled task.
Is your method still viable for this?

And thanks for your prompt response!

August 10, 2016 at 5:15 pm

Yep, as long as the scheduled task executes as your account, you should be fine. 🙂

August 10, 2016 at 6:22 pm

Wow Dave, things finally got slow here and I was able to thoughtfully read your post and follow it...

This is such an amazing technique! It's easy, and actually secure! Thanks again for the great tip, this is one of my new favorite powershell methods and committed to memory!