Another learning exercise.
I needed to define the way that admins from a trusted (windows) domain could safely provide the credentials for an account with read only access so that Exchange 2007 in a resource forest can create a linked mailbox which requires the use of an account in the trusted account forest that has read access to the trusted forest’s AD so Exchange can link the new mailbox with a valid account in the trusted account forest.
I need a way for the admins in the trusted account forest to provide a user account and a non-“clear text” password. This can be done by passing a password hash instead. But how do you create a hash that can be used and passed. Its difficult to extract an account’s password hash out of the AD so you need another way of creating it.
All the commands are there in Powershell but I struggled a bit to determine the right process to use them. Lots of searching and reading got me to this article:
The answer for me was in this bit of code (Thanks Lee Holmes):
PS >$secureString = Read-Host -AsSecureString
PS >ConvertFrom-SecureString $secureString | out-file c:\temp\encrypted.txt
PS >$newString = gc C:\temp\encrypted.txt | ConvertTo-SecureString
The Read-Host command allows the admin to type in the password which in theory only he knows and convert it to a “securestring”. You can’t output and pass this secure string but you can convert it to an encrypted hash which you can output to a text file and then pass that to an Exchange admin. The Exchange admin can then reconvert it to a secure string (using code line 3 above) inside Powershell and then use it with Powershell PScredential functionality.
Easy once you know ..