Creating and using Password Hashes and Secure Strings with Powershell

Another learning exercise.

I needed to define the way that admins from a trusted (windows) domain could safely provide the credentials for an account with read only access so that Exchange 2007 in a resource forest can  create a linked mailbox which requires the use of an account in the trusted account forest that has read access to the trusted forest’s AD so Exchange can link the new mailbox with a valid account in the trusted account forest.

I need a way for the admins in the trusted account forest to provide a user account and a non-“clear text” password. This can be done by passing a password hash instead.  But how do you create a hash that can be used and passed.  Its difficult to extract an account’s password hash out of the AD so you need another way of creating it.

All the commands are there in Powershell but I struggled a bit to determine the right process to use them.  Lots of searching and reading got me to this article:

http://www.vistax64.com/powershell/15669-howto-use-convertto-securestring-convertfrom-securestring.html

The answer for me was in this bit of code (Thanks Lee Holmes):

PS >$secureString = Read-Host -AsSecureString
************
PS >ConvertFrom-SecureString $secureString | out-file c:\temp\encrypted.txt
PS >$newString = gc C:\temp\encrypted.txt | ConvertTo-SecureString

The Read-Host command allows the admin to type in the password which in theory only he knows and convert it to a “securestring”.  You can’t output and pass this secure string but you can convert it to an  encrypted hash which you can output to a text file and then pass that to an Exchange admin.  The Exchange admin can then reconvert it to a secure string (using code line 3 above) inside Powershell and then use it with Powershell PScredential functionality.

Easy once you know ..

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s