Run PowerShell with different credentials without prompt on remote machines

Occasional Visitor

I want to run the below command using different user (domain\administrator) without prompting to enter password, basically I want to append the credentials in this command if required.

 

powershell.exe -executionpolicy Bypass -file %script%

 

Expecting: not sure this can be done.

powershell.exe -executionpolicy Bypass -file %script% -Credentials -Username user -Password password

 

 

 

Thanks,

7 Replies
Perhaps starting the PowerShell session using Start-Process with the -Credential option works for you? This should allow you to pass both a username and password to run the process under.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?vie...
I have same issue, did you ever figure out a solution?

@kalva1kk 

 

You can leverage Start-Process as mentioned above by @pvanoord above.

 

One down side to this method is that you have to pass the credentials across in some fashion, and I've seen a lot of people take the lazy approach of passing them in clear text.

 

A "better" (subjective statement) approach would be to establish the credential client-side (since most people are familiar with Get-Credential already) and use that in a call to Invoke-Command. Here's a crude example:

$RemoteCredential = Get-Credential;
Invoke-Command -UseSSL -ComputerName somehost.mydomain.com -Credential $RemoteCredential -ScriptBlock { dir C:\ };

 

(note: if you haven't configured secure WinRM, then leave out the -UseSSL)

 

Of course, there's other options for achieving the same thing but for this specific use case, this is the one I'd recommend for a few reasons.

 

If the first one is that it keeps the credential relatively secure, then the second reason would be that Invoke-Command can accept multiple remote hosts for the -ComputerName parameter, and if multiple hosts are provided, it spawns tasks in parallel (up to a default or nominated limit which is beyond the scope of this discussion.)

 

Where you have to run that command on a large number of remote hosts, this results in significant time savings.

 

Cheers,

Lain

Why not imbed your credential to your code?

$credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "UserName","Password"

powershell.exe -executionpolicy Bypass -file %script% -Credentials $credential

Using Install-Module -Name CredentialManager is also a good approach for credentials.

@Alan2022 

 

Firstly, it's bad practice to embed clear-text credentials in a script (I'd even include base64 as that's not actually encryption and can easily be reversed.)

 

Fetching them from a remote credentials store (such as Azure Key Vault, your suggestion of the downloadable CredentialManager module, or even a custom database) or prompting for them once prior to calling the script x times is okay, but not direct inclusion in the code. Of course, the obvious issue here is that none of these approaches can be leveraged "out of the box", which is another reason why staging the credential prior to calling the script is advantageous (since you'd only need the custom approach to be functional on the host doing the remote callouts.)

 

Secondly, powershell.exe does not actually contain a "-Credentials" parameter.

 

about PowerShell exe - PowerShell | Microsoft Docs

 

Lastly, I'd strongly recommend not leveraging the Bypass execution policy unless there's a profoundly compelling reason for doing so as that undermines system security - possibly for no good reason.

 

It's a rare day when RemoteSigned is found to be too restrictive.

 

Cheers,

Lain

Hi @LainRobertson

Any idea how to pass the user credential from task scheduler to the powershell script to be more secure in running custom reports?
Currently now im using CredentialManager module but if you have more secure proper way hope you could share what is the best approach for this.
Thanks.

@Alan2022 

 

I don't have a single preferred method since not all environments I visit are the same. If Credential Manager works for you then that ought to be fine.

 

So long as credentials aren't being stored directly within the script, then that satisfies good scripting practice.

 

The question then changes to "how securely are your credentials stored" and maybe also "are they being transmitted over the wire in plain text", but those kinds of questions are not specific to PowerShell and therefore not really PowerShell "best practice"-related.

 

Cheers,

Lain

 

Edited to fix a typo and some grammar.