Automate encrypting Password and changing it every month


Is there any way to encrypt the password and change it after regular interval like 1 month without manual effort i.e. some sort of automation. The point is I don’t want to keep the password or pass it anywhere, either in a text file or inside the script. I have tried import-clixml, export-clixml and ps credential but it requires to give the password field.

It would be great if anyone can suggest/share the best password management tip.

You can use the Get-SBCredential cmdlet of the SB-Tools module.
On a machine with PS5 try:

Install-Module SB-Tools -Force 
Import-Module SB-Tools -DisableNameChecking
help Get-SBCredential -Show

So, in your script that needs credentials, you do something like:

$Cred = Get-SBCredential -UserName 'domain\name'

The first time it runs it will ask you for the password. In future times, it will read it from the encrypted file on disk. You can use that credential object throught the script like:

Get-ADUser -Identify sam1 -Credential $Cred

You will have to have a calendar reminder to reset the pwd monthly, or use some other automation. To update the saved credential object use the -refresh switch of the Get-SBCredential cmdlet

Hi Amar,

Hope the script below will help you…
Note: the password in the script below, which is converting to/from can only be done on the same machine, it will not work if you copy the file to any other machine or any other user.

function Schedule-PasswordChange {
    Param (
    # Declare local variables
    $PwdFileLocation        = (New-Item -Path $env:LOCALAPPDATA -Name Include -ItemType Directory -Force).FullName;
    $GeneratePwdFileName    = 'New-SWRandomPassword.ps1';
    $GeneratePwdFile        = "$PwdFileLocation\$GeneratePwdFileName";
    $PasswordFileName       = 'password';    # Extension may not required
    $PasswordFile           = "$PwdFileLocation\$PasswordFileName";
    $OldPassword            = '';
    $NewPassword            = '';

    # Downloading the random password generator function if not available from Microsoft script center (Url:
    if (-not (Test-Path -Path $GeneratePwdFile)) {
        $Uri                        = '';
        $web                        = New-Object System.Net.WebClient;
        #$web.UseDefaultCredentials  = $true;             # *This may not required in your environment,
        #$web.Proxy.Credentials      = $web.Credentials;  #  unless there is a proxy client in your environment 
        $web.DownloadString($Uri) | Out-File -FilePath $GeneratePwdFile -Force;

    # Dot source the function from the (downloaded) script 'New-SWRandomPassword.ps1'
    . $GeneratePwdFile;          # for New-SWRandomPassword function

    # Generate a the new password
    $NewPassword    = New-SWRandomPassword -MinPasswordLength 12;

    #Get the old password from the file; if not, updated it for the first time
    if (Test-Path -Path $PasswordFile) {
        $OldPassword = Get-Content -Path $PasswordFile | ConvertTo-SecureString;
    } else {
        Write-Verbose 'Please set the password below for the first time...';
        Write-Verbose "Password: $NewPassword";
        $Yes    = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes","";
        $No     = New-Object System.Management.Automation.Host.ChoiceDescription "&No","";
        $Choices= [System.Management.Automation.Host.ChoiceDescription[]]($Yes,$No);
        $Caption= 'Password Change';
        $Message= 'Did you update the password for the first time?';
        $Choice = $Host.UI.PromptForChoice($Caption,$Message,$Choices,0);
        if ($Choice -eq 0) {
            $NewPassword | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File -FilePath $PasswordFile -Force;
            Write-Verbose 'Password updated successfully!';

    # Convert new password from plain test to secure string
    $NewPassword = $NewPassword | ConvertTo-SecureString -AsPlainText -Force

    # Update password. (Write your own piece of code here)
    # Set-ADAccountPassword -Identity $Username -OldPassword $OldPassword -NewPassword $NewPassword
    Write-Verbose "Password updated successfully!"

Schedule-PasswordChange -Username 'Domain\Username' -Verbose