Script / Command Launcher – for batch processing on machines requiring different credentials

 
Just a little PowerShell scriptlet that could be handy for some of you out there (see below)
 
In our customer’s environment the servers belong to several different domains.
I needed to run a PowerShell script that performed some configuration on hundreds of remote servers,
and I needed a way to run the PowerShell script using different credentials, depending on which
domain the server was in
 
I came up with following small script that in it’s turn invokes the other script.
(that other script is not very interesting, it copies some files and configures some stuff that couldn’t be done using remote WMI or other ‘credentiable’ commands,
so I couldn’t provide the credentials to the commands in that script itself)
 
The script reads from a .csv file with following headerformat : ServerName,LogonDomain
For each line in the file it runs ‘myposhscript.ps1’ with the servername as argument that the other script uses to connect to that server.
 
In the first line the password for the scripting user is read (the script assumes the user exists in all domains with the same password)
The pasword is in the SecureString format and can only be used by the user and on the machine that encrypted the password.
 
You can create such a file (by the user that will decrypt it later and on the machine it will be used on later) by following one-liner:
Read-Host "Enter password or other secure string:" -assecurestring | convertfrom-securestring| out-file securepw.txt
 
The SecureString commands use Microsoft’s Data Protection API, for in depth info see:
 
If the machine on which the password file resides is physically and otherwise secure, and the file is NTFS protected,
I think this gives you a secure way of launching scripts using different credentials without storing them in cleartext !
(You should probably combine this with Script Signing if you have PKI in place, this would provide you with a Tamper Proof script as well!)
 
 
#Script
#Read encrypted password from file and make it a SecureString 
$pass = get-content securepw.txt | convertto-securestring
if($error.count -gt 0) {exit}
$user="johndoe"
#import the csv file into array
$Data=Import-Csv .\srvlist.csv
 
#Do processing for each server in the file
$Data | ForEach-Object {

   $domain=$_.LogonDomain
   $server=$_.ServerName
   $cmd="$PSHOME\powershell.exe"
   $arguments="& c:\scripts\myposhscript.ps1 $server"
 
   #start the new PowerShell session with the appropriate credentials and wait for it to end

   $proc=[System.Diagnostics.Process]::Start($cmd,$arguments,$user,$pass,$domain)
   $proc.waitForExit()
}
#End Script
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s