Forum Discussion
Run PowerShell with different credentials without prompt on remote machines
I want to run the below command using different user (domain\administrator) without prompting to enter password, basically I want to append the credentials in this command if required.
powershell.exe -executionpolicy Bypass -file %script%
Expecting: not sure this can be done.
powershell.exe -executionpolicy Bypass -file %script% -Credentials -Username user -Password password
Thanks,
- Why not imbed your credential to your code?
$credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "UserName","Password"
powershell.exe -executionpolicy Bypass -file %script% -Credentials $credential
Using Install-Module -Name CredentialManager is also a good approach for credentials.Firstly, it's bad practice to embed clear-text credentials in a script (I'd even include base64 as that's not actually encryption and can easily be reversed.)
Fetching them from a remote credentials store (such as Azure Key Vault, your suggestion of the downloadable CredentialManager module, or even a custom database) or prompting for them once prior to calling the script x times is okay, but not direct inclusion in the code. Of course, the obvious issue here is that none of these approaches can be leveraged "out of the box", which is another reason why staging the credential prior to calling the script is advantageous (since you'd only need the custom approach to be functional on the host doing the remote callouts.)
Secondly, powershell.exe does not actually contain a "-Credentials" parameter.
about PowerShell exe - PowerShell | Microsoft Docs
Lastly, I'd strongly recommend not leveraging the Bypass execution policy unless there's a profoundly compelling reason for doing so as that undermines system security - possibly for no good reason.
It's a rare day when RemoteSigned is found to be too restrictive.
Cheers,
Lain
- Hi LainRobertson
Any idea how to pass the user credential from task scheduler to the powershell script to be more secure in running custom reports?
Currently now im using CredentialManager module but if you have more secure proper way hope you could share what is the best approach for this.
Thanks.
- I have same issue, did you ever figure out a solution?
You can leverage Start-Process as mentioned above by pvanoord above.
One down side to this method is that you have to pass the credentials across in some fashion, and I've seen a lot of people take the lazy approach of passing them in clear text.
A "better" (subjective statement) approach would be to establish the credential client-side (since most people are familiar with Get-Credential already) and use that in a call to Invoke-Command. Here's a crude example:
$RemoteCredential = Get-Credential; Invoke-Command -UseSSL -ComputerName somehost.mydomain.com -Credential $RemoteCredential -ScriptBlock { dir C:\ };(note: if you haven't configured secure WinRM, then leave out the -UseSSL)
Of course, there's other options for achieving the same thing but for this specific use case, this is the one I'd recommend for a few reasons.
If the first one is that it keeps the credential relatively secure, then the second reason would be that Invoke-Command can accept multiple remote hosts for the -ComputerName parameter, and if multiple hosts are provided, it spawns tasks in parallel (up to a default or nominated limit which is beyond the scope of this discussion.)
Where you have to run that command on a large number of remote hosts, this results in significant time savings.
Cheers,
Lain
- Perhaps starting the PowerShell session using Start-Process with the -Credential option works for you? This should allow you to pass both a username and password to run the process under.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?view=powershell-7.1
