Tag Archives: credentials

Quickly and securely storing your credentials – PowerShell

During the last PowerShell event I quickly demo’ed the Export-CliXml functionality to quickly, easily, and most importantly, securely store credentials to a file. In this article I will describe the following three steps:

  • Store credentials in a variable
  • Export the variable to a file
  • Import the credential object from the file into a variable

To get a credential object we can either manually create one or use the Get-Credential cmdlet to prompt for the account details:

$Credential = Get-Credential

To store the credentials into a .cred file:

$Credential | Export-CliXml -Path "${env:\userprofile}\Jaap.Cred"

And to load the credentials from the file and back into a variable:

$Credential = Import-CliXml -Path "${env:\userprofile}\Jaap.Cred"
Invoke-Command -Computername 'Server01' -Credential $Credential {whoami}


The advantage of this methodology is that you can leverage the versitility of PowerShell to ensure that the data is not only exported, but also stored in a secure manner using secure strings. It should be noted that these credential files that are created can only be opened by the same user on the same system. It can be used to store any type of credentials, both local accounts and domain accounts can be saved in this manner.

Note that you are not limited to storing a single set of credentials in this manner, you could use any number of accounts, for example the following example will prompt for 3 different sets and store them in a hash table. This can then be exported/imported in a similar manner:

$Hash = @{
    'Admin'      = Get-Credential -Message 'Please enter administrative credentials'
    'RemoteUser' = Get-Credential -Message 'Please enter remote user credentials'
    'User'       = Get-Credential -Message 'Please enter user credentials'
$Hash | Export-Clixml -Path "${env:\userprofile}\Hash.Cred"
$Hash = Import-CliXml -Path "${env:\userprofile}\Hash.Cred"
Invoke-Command -ComputerName Server01 -Credential $Hash.Admin -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.RemoteUser -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.User -ScriptBlock {whoami}


Connect-Mstsc – New version in TechNet Script Gallery

My Connect-Mstsc function was overdue for an update and I took the opportunity to add some additional feature to Connect-Mstsc as well. The purpose of this function is to start an RDP session with the specified user name and password. This functionality is not included in the mstsc.exe tool, which is why I wrote this script. The script is available for download in the TechNet script library: Connect-Mstsc.

This script accepts many parameters but two things need to be present, the ComputerName and either the combination of a User and a Password or a Credential object which will be used to authenticate the user against the remote system.

A simple example of how to use this function is as follows:

Connect-Mstsc -ComputerName server01 -User contoso\jaapbrasser -Password supersecretpw

A remote desktop session to server01 will be created using the credentials of  contoso\jaapbrasser

Alternatively the -Credential parameter can be used to connect to a remote host:

Connect-Mstsc -ComputerName -Credential $Cred

A RDP session to the system at will be created using the credentials in   the $cred variable

The complete function is available in the TechNet Script Library. To view this script or to participate in the discussions about this script either comment here or in the TechNet Script Gallery. Because some of the new functionality, specifically the parameter sets and support for common parameter, the latest version of Connect-Mstsc is not compatible with PowerShell 2.0. To remedy this problem I have uploaded a PowerShell 2.0 compatible version as well.

TechNet Script Library
My entries in TechNet Script Gallery
Connect-Mstsc (PowerShell 2.0)

New article on PowerShell Magazine: Verify local SAM store account credentials

The article posted on PowerShell Magazine provides an easy example that allows for verification of local computer credentials using the System.DirectoryServices.AccountManagement namespace. The full article is available on PowerShell Magazine: