Vincent van Unen

We Find a Way Otherwise We Make One

Powershell PS-Scripts

PS: Encryped Passwords in Register

Doorvincent

jan 28, 2021

Saving Credentials in Register

Er worden regelmatig scripts gemaakt waar een stuk Authenticatie in moet om dat er verbonden moet worden met online of onprem mail servers omdat ik niet wil dat de gebruikersnamen en wachtwoorden zichtbaar in het script staan heb ik gekozen om een stuk script van iemand anders te bewerken voor mijn doeleinden.

Met dit script kan je encryped accounts opslaan in het register wat later in een script opgeroepen kan worden.

Lees meer voor het PS Script

 

param (
[parameter(Mandatory=$true)][ValidateSet("Personal","Service")][string]$AccountType,
[ValidateSet("OnPrem","O365","SE","SMTP","ScheduledTasks","TopDesk")][string]$CredType,
[parameter(Mandatory=$true)][ValidateSet("Read","New","Edit")][string]$Action,
[switch]$NoChecking
)
switch ($AccountType){ ## Automatic registry store input, selecting correct registry path
Service {$RegPath = "HKLM:\Software\SC\ServiceCredentials"}
Personal {$RegPath = "HKCU:\Software\SC\ExchangeBeheer"}
} #end switch
Add-Type -AssemblyName System.Security
## LAPS module (Local Administrator Password Solution)
if (!(Get-Module -Name "AdmPwd.PS" -ListAvailable)){
write-host "The AdmPwd.PS module is not yet installed, installing..." -f yellow
Install-Module -Name "AdmPwd.PS" -AllowClobber -Force
} #end if
Write-Host "Loading the AdmPwd.PS Module..." -f Green
Import-Module AdmPwd.PS -global

Write-host -ForegroundColor yellow "Creating Regkey folders"

if ($AccountType -like "Service"){
New-item "HKLM:\Software" -name SC
New-item "HKLM:\Software\SC" -name ServiceCredentials
}
if ($AccountType -like "Personal"){
New-item "HKCU:\Software" -Name SC
New-item "HKCU:\Software\SC" -Name ExchangeBeheer
}


if ((!$CredType) -and !($Action -eq "New")){ ## Set the credential type
write-host "For which service are the credentials?" -f yellow
write-host "1) On Premise credentials (OnPrem)" -f green
write-host "2) Office 365 credentials (O365)" -f green
write-host "3) SC SE credentials (SE)" -f green
write-host "4) Service account Scheduled Tasks" -f green
write-host "5) Service account SMTP" -f green
write-host "6) Service account TopDesk" -f green
write-host "Please provide your choice: " -f yellow -n; $choice = read-host
switch ($choice){
1 {$CredType = "OnPrem"}
2 {$CredType = "O365"}
3 {$CredType = "SE"}
4 {$CredType = "ScheduledTasks"}
5 {$CredType = "SMTP"}
6 {$CredType = "TopDesk"}
} #end switch
} #end if

switch ($Action){
Read { #Read credentials from the registry
switch ($AccountType){
Personal {
$ReadCredUserName = (Get-ItemProperty -Path $RegPath -Name ($CredType + "User")).($CredType + "User")
$ReadCredPassword = (Get-ItemProperty -Path $RegPath -Name ($CredType + "Password")).($CredType + "Password")| ConvertTo-SecureString
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ReadCredUserName, $ReadCredPassword
} #end personal
Service {
$UserFromRegistry = (Get-ItemProperty -Path $RegPath -Name ($CredType + "_USR")).($CredType + "_USR")
$EncryptedPW = (Get-ItemProperty -Path $RegPath -Name ($CredType + "_PW")).($CredType + "_PW")
$SecureStr = [System.Convert]::FromBase64String($EncryptedPW)
$StringBytes = [Security.Cryptography.ProtectedData]::Unprotect($SecureStr, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$DecryptedPW = [System.Text.Encoding]::Unicode.GetString($StringBytes)
$Credentials = New-Object PSCredential -ArgumentList ([pscustomobject] @{UserName = $UserFromRegistry; Password = (ConvertTo-SecureString -AsPlainText -Force -String $DecryptedPW)[0]})
} #end service
} #end switch

if ($NoChecking){return $Credentials}
else { # Check the validity of the credentials
[String]$Domain = $Credentials.GetNetworkCredential().Domain
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") | Out-Null
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $Domain)
$CheckResult = Write-Output -InputObject $($principalContext.ValidateCredentials($Credentials.UserName, ($Credentials.GetNetworkCredential().Password)))
if ($CheckResult -eq $true){return $Credentials}
else {write-host "Credentials are not correct" -f red; SubCredEdit $RegPath $CredType $AccountType} #end else
} #end else
} #end Read action
New { #Write credentials to the registry
write-host "Please provide a short name for the credentials: " -f green -n; $CredentialName = Read-Host
## Request the credentials
$Credential = Get-Credential -Message "Enter your credentials to be stored under the name $CredentialName in the registry"
write-host "Storing credentials in the registry..." -f cyan
switch ($AccountType){
Personal { #Store the password in the registry encrypted with the user key
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "User") -Value $Credential.Username -ea stop | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "Password") -Value ($Credential.Password | ConvertFrom-SecureString) | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "InitialDate") -Value (Get-Date -Format g) | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "EditDate") -Value (Get-Date -Format g) | out-null
} #end personal
Service { #Store the password in the registry encrypted with the machine key
$GetPasswd = $Credential.GetNetworkCredential().password | ConvertTo-SecureString -AsPlainText -Force
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($GetPasswd)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$PasswordBytes = [System.Text.Encoding]::Unicode.GetBytes($Password)
$SecurePassword = [Security.Cryptography.ProtectedData]::Protect($PasswordBytes, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$SecurePasswordStr = [System.Convert]::ToBase64String($SecurePassword)
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_USR") -Value $Credential.Username -ea stop | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_PW") -Value $SecurePasswordStr | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_InitialDate") -Value (Get-Date -Format g) | out-null
New-ItemProperty -Path $RegPath -PropertyType String -Name ($CredentialName + "_EditDate") -Value (Get-Date -Format g) | out-null
} #end service
} #end switch
} #end new
Edit { #Request the new credentials
do {
$Credential = Get-Credential -Message "Enter the new credentials for $CredType management tasks"
#Check the credential validity
[String]$Domain = $Credential.GetNetworkCredential().Domain
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") | Out-Null
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $Domain)
if ($NoChecking){$NewCredentialCheck = $true}
else {
$NewCredentialCheck = Write-Output -InputObject $($principalContext.ValidateCredentials($Credential.UserName, ($Credential.GetNetworkCredential().Password)))
if ($NewCredentialCheck -eq $false){write-host "The provided credentials are wrong, please try again." -f red}
} #end else
} #end do
until ($NewCredentialCheck -eq $true)
write-host "Storing credentials in the registry..." -f cyan
switch ($AccountType){
Personal { #Store the updated password in the registry encrypted with the user key
Set-ItemProperty -Path $RegPath -Name ($CredType + "User") -Value $Credential.Username
Set-ItemProperty -Path $RegPath -Name ($CredType + "Password") -Value ($Credential.Password | ConvertFrom-SecureString)
Set-ItemProperty -Path $RegPath -Name ($CredType + "EditDate") -Value (Get-Date -Format g)
} #end personal
Service { #Store the updated password in the registry encrypted with the machine key
$GetPasswd = $Credential.GetNetworkCredential().password | ConvertTo-SecureString -AsPlainText -Force
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($GetPasswd)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$PasswordBytes = [System.Text.Encoding]::Unicode.GetBytes($Password)
$SecurePassword = [Security.Cryptography.ProtectedData]::Protect($PasswordBytes, $null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
$SecurePasswordStr = [System.Convert]::ToBase64String($SecurePassword)
Set-ItemProperty -Path $RegPath -Name ($CredType + "_USR") -Value $Credential.Username -ea stop | out-null
Set-ItemProperty -Path $RegPath -Name ($CredType + "_PW") -Value $SecurePasswordStr | out-null
Set-ItemProperty -Path $RegPath -Name ($CredType + "_EditDate") -Value (Get-Date -Format g) | out-null
} #end service
} #end AccountType switch
} #end edit option
} #end Action switch

Gerelateerd bericht

ICT MS Intune (Endpoint Management) Powershell

Intune Device Registration SCA V1.2

jun 18, 2024
ICT Microsoft Microsoft Azure Powershell PS-Scripts

Outlook default font for webmail & new-outlook

jun 7, 2024
Microsoft MS Intune (Endpoint Management) PS-Scripts

Microsoft Intune – Herstart bericht

apr 9, 2024

You missed

ICT Microsoft Microsoft Azure MS Intune (Endpoint Management)

Intune Device Registration SCA V2.5

2024/06/18
ICT Microsoft Microsoft Azure MS Intune (Endpoint Management)

Windows Client sync Intune

2024/06/18
ICT Microsoft MS Intune (Endpoint Management)

Intune Device Registration SCA V1.5

2024/06/18
ICT MS Intune (Endpoint Management) Powershell

Intune Device Registration SCA V1.2

2024/06/18