I’m using the following to store credentials:
GET-CREDENTIAL –Credential “domain\user” `
| EXPORT-CLIXML .\creds.xml
This works in scripts when ran as my account and I call the xml file. However, if I try to run a script on the same machine under a different user (e.g. a scheduled task), calling the same XML using the import-clixml command I get the error:
import-clixml : Key not valid for use in specified state.
Do I need to switch to convertto-securestring/convertfrom-securestring or is there something I can do to allow a different user to access the stored credentials?
You can’t do that, because those cmdlets use the DPAPI to do the encryption, and DPAPI stores the encryption keys in your user profile.
However, there are other techniques you can use, and this was the subject of a talk I gave at this year’s PowerShell Summit: Keeping Secrets - YouTube . The short version is, use certificates to encrypt your passwords, and distribute the certificate (with its private key) to any user who you want to be able to run the script.
I only have a basic understanding of the details but in general the default protection\encryption of secure objects uses a key that is specific to user and machine. By design this makes sharing credentials between users have the issue you are experiencing. Please be aware that in general this type of automation violates most organizations security policies.
But it can be done: http://blogs.technet.com/b/robcost/archive/2008/05/01/powershell-tip-storing-and-using-password-credentials.aspx