I created a module for our techstaff with functions that would query our AD server about specific information with a users login or display name as the input.
Each funtion in the module requires domain credentials for authentication. I originally had each function prompt the user before each execution, but it was requested where they would like to just be prompted once for each PowerShell session instance.
To facilitate this, I created a new function “Get-TPAdminLogon” store the credentials as a Global Variable (PSCredential object). For the duration of the session, each function in the module can then reference the $TPCred variable which contains the credentials needed to execute each function within the module.
Should I be concerned about these credentials being store in a Variable? Technically one could retrieve that with $TPCred.GetNetworkCredential().password. The functions can only be run for each technicians local workstation and also from a terminal server that only we have VPN access to.
Would I gain anything by encrypting the PSCredential Object to a file and then decrypt when needed?
It is always a potential risk by storing credentials somewhere. Take a look at the Export-CliXml and Import-CliXml Cmdlets, you can use these to store credentials in an encrypted xml format and can only be used by the user and computer that exported the credentials.
The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. This ensures that only your user account on only that computer can decrypt the contents of the credential object. The exported CliXml file can neither be used on a different computer nor by a different user.