How to encrypt/hide ClearText password in PowerShell Transcript - powershell

I have used the Start-Transcript command in my PowerShell profile. This is very useful for me to review the console output of my scripts at a later point in time when required. However, at times I also directly run some commands that include a ClearText password like the Set-ADAccountPassword cmdlet. Now, these passwords also get captured in the Transcript log file which poses a security risk.
So, is there a way PowerShell can recognize these password related commands and hide them with *'s in the Transcript log file.
I do not see any parameter in the Start-Transcript that would enable this behavior. Is there a workaround?
EDIT:
The command used (with ClearText password) is like the below,
Set-ADAccountPassword -Identity 'CN=Elisa Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)

All passwords accepted by the Set-ADAccountPassword cmdlet are encrypted (SecureString) passwords:
Set-ADAccountPassword
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADAccount>
[-NewPassword <SecureString>]
[-OldPassword <SecureString>]
[-Partition <String>]
[-PassThru]
[-Reset]
[-Server <String>]
[<CommonParameters>]
Nevertheless, if you come across a cmdlet (or an external command) that accepts plain text passwords, that would be your security weakness to be resolved as that is not just captured by Start-Transcript but also sent to the host console and displayed.
Saying that, you should not hardcode passwords in your scripts as in the example of Set-ADAccountPassword :
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "qwert#12345" -Force)
Instead, use the encrypted string as input for the ConvertTo-SecureString.
To create the secure string, use the follwing sommand: (don't hardcode this in your scripts either):
Read-Host -Prompt "Enter password" -AsSecureString | ConvertFrom-SecureString
Results:
12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d
And use the results in the concerned script (without the -AsPlainText switch), e.g.:
$OldPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
$NewPassword = '12345678d08c9ddf0115d1118c7a00c04fc297eb01000000c8e74a7ee4e2da4eae03ae6fbc416934123456789200000000001066000000010000200000002568f3e73d018b1d0ee8a616c8aa2e9614bad0a6bb62ac76aa4b2b90c0178d4b000000000e80000000020000200000002e443228fdf8e2c54b356420d854535e9acc13dcf635755ae80d17bca4ec3cce20000000a4517f6ca8873e9431a5cd9af714617116014ede30e1a927c856ed4738e03a2340000000ce49ddafe4da3f8cd64e14c347126d5e8907fa16deb9f5133f8807b675f40a3354465868414aba785fcde64bbd98a125924ccfb16ad718f8f24698c3dab88c0d'
Set-ADAccountPassword -Identity elisada -OldPassword (ConvertTo-SecureString $OldPassword) -NewPassword (ConvertTo-SecureString $NewPassword)
note 1: The encrypted string is only supposed to work under the account where it is created.
note 2: quote from the SecureString Class:
We don't recommend that you use the SecureString class for new
development. For more information, see SecureString shouldn't be
used
on GitHub.

Related

Set-ADAccountPassword specifying -Credential

I triyng to reset a password using this code:
Set-ADAccountPassword -Identity <username> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'N3WP#SS' -Force)
But it uses the credentials of the logged user to execute this action. How do I specify other user to perform this action using
-Credential?
If you are trying to specify other user :
PSCredential Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.
You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.
Prompt a specified user to change their password.
Use this command below :
Set-ADAccountPassword -Identity TestName
Please enter the current password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:**********
Please enter the desired password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:***********
Repeat Password:***********
Set a password for a user account using a distinguished name :
Set-ADAccountPassword -Identity 'CN=Elisa
Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword
(ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)
Please take a look at this doc for more reference : Ser-ADAccountPassword

Why is force and AsPlainText required for secure string

I'm currently learning PowerShell through online tutorials.
What is the benefit of/why do examples use -Force and -AsPlainText when creating a secure string?
$password = 'P#ssw0rd' | ConvertTo-SecureString -AsPlainText -Force
There is no benefit of using those arguments, rather they are required to show that you understand that your string is not secure, despite the fact you've now placed it in a SecureString. Because you've passed it as plain text, it's already in memory in an insecure manner.
-AsPlainText shows that you want to pass in it as a plain text parameter. -Force is documented as:
Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.
IIRC, -Force suppresses the confirmation prompt from -AsPlainText
$PW = ConvertTo-SecureString -String 'P#ssw0rd' -AsPlainText -Force

New-Mailbox creation error

We try to create new-mailbox in office 365 account using the cmdlet
New-Mailbox -UserPrincipalName chris#contoso.com -Alias chris -Database "Mailbox Database 1"
in WindowsPowershell ISE.To our surprise -UserPrincipalName is not a recognizable.However,using the following cmdlet ,we are able to create new mail box
New-Mailbox -Name "abcd" -MicrosoftOnlineServicesID "abcd#abcdwe.onmicrosoft.com" -Password $Password
here -MicrosoftOnlineServicesID is well recognizable and runs successfully also.
Note:I mean recognizable since when I type -MicrosoftOnlineServicesID in Windows Powershell ISE,the intellisense pops up a suggestion.
My question is why is the parameter -MicrosoftOnlineServicesID is recognizable and why the prameter -UserPrincipalName is not recognizable?
Note:In the same way as -UserPrincipalName , the parameter -TemplateInstance and many other parameters are not recognizable or not working properly.
Please carify what we need to include/import to make these cmdlets recognizable.

PS: Set-ADAccountPassword - Complexity Exception

I've got problems with setting new passwords via Powershell on Server 2012 R2:
Set-ADAccountPassword -Identity testuser48
-OldPassword (ConvertTo-SecureString -AsPlainText "HelloPassword123#" -Force)
-NewPassword (ConvertTo-SecureString -AsPlainText "April456##123" -Force)
I tried many different passwords but there's always an ADPasswordComplexityException.
FullyQualifiedErrorId : ActiveDirectoryServer:1325,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPasword
Are there any other things I could try?
All password complexity rules (incl. length, ...) are disabled.
Can you use -Reset instead of -OldPassword? Try below to see if it works for you. Also is this in a domain or a standalone server?
Set-ADAccountPassword -Identity testuser48 -Reset
-NewPassword (ConvertTo-SecureString -AsPlainText "April456##123" -Force)
I just found out that I have to set both minimum and maximum password age from undefined to 0 in order for this command to work. That does not seem to be documented ...

Looping through all my domains an changing pwd- access denied SET-QADUSER

I have several domains and one admin account in each one. It is a great pain to log into each domain to change password every month..
I have therefore written a script that will connect to all domains and check to see if I have already changed the password or if I am still using the old one.
If I am using the old one the script should update it.
I connect to the domains (sequentially) with
$oldPassword = Read-Host "Enter old password" -AsSecureString
$newPassword = Read-Host "Enter new password" -AsSecureString
$oldCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "$domain\$adminusername",$oldPassword
Connect-QADService -Service $domain -Credential $oldCredentials
and if I get a successfull connection with $oldcredentials I try to change pwd with
GET-QADUSER $adminusername | SET-QADUSER -UserPassword $newPassword
I am guessing that I am not passing the secure string correctly to SET-QADUSER but I've found no documentation on another way to do it.
Please advice:)
SET-QADUSER -UserPassword accept [string] type not [System.Security.SecureString].
Try to pass just a string as password.