Get-Credential Remote Device

I have a requirement to run script on a remote devices. so i created the following

script 1

$AkeyFile = “C:\temp\PWDKey.key”
$AcredFile = “C:\temp\PWDCred.cred”
$myUser = “XYZABCD”
$AESKey = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
Set-Content $keyFile $AESKey

$credential = Get-Credential “$myUser”
$credential.Password | ConvertFrom-SecureString -Key (Get-Content $AkeyFile) | Set-Content $AcredFile

$pwdenc = Get-Content $AcredFile | ConvertTo-SecureString -key (Get-Content $AkeyFile)
$credential = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList “$myUser”, $pwdenc

So now i have 2 files PWDKey.key & PWDCred.cred. Copied them on to the remote device under C:\temp\TS folder

Original Script


$FriendlyName = “REMOTECOMP”

$User = “XYZABCD”
$BkeyFile = “C:\temp\TS\PWDKey.key”
$BcredFile = “C:\temp\TS\PWDCred.cred”

$encrypted = Get-Content $BcredFile | ConvertTo-SecureString -key (Get-Content $BkeyFile)
$mycred = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList “$User”, $encrypted

Get-ADComputer $FriendlyName -Credential $mycred


While running the above, i get the following error
<p class=“entry-title mb-4 text-40”>Exception calling .ctor with 2 arguments</p>
Any help would be highly appreciated

Thanks,

V

First thing, you define your keyfile as “$AKeyFile” and then try to output to just $keyfile. Update one or the other so they match.

Set-Content $keyFile $AESKey

Next thing, your quotes aren’t proper. My guess is you copied and pasted at least some of this code from the internet, and have been victimized like so many others with these different quotes. Replace all the quotes by actually typing them. You can use find/replace but make sure to account for the different quotes in the beginning and the end.

After that you should be good!

Thanks. Sorry that was a typo error.

Even if i run the following script 1

$AkeyFile = “C:\temp\PWDKey.key”
$AcredFile = “C:\temp\PWDCred.cred”
$myUser = “XYZABCD”

$FriendlyName = “REMOTECOMP”
$AESKey = New-Object Byte[] 32
[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)
Set-Content $AkeyFile $AESKey

$credential = Get-Credential “$myUser”
$credential.Password | ConvertFrom-SecureString -Key (Get-Content $AkeyFile) | Set-Content $AcredFile

$pwdenc = Get-Content $AcredFile | ConvertTo-SecureString -key (Get-Content $AkeyFile)
$credential = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList “$myUser”, $pwdenc

Get-ADComputer $FriendlyName -Credential $credential

I get the following error

New-Object : Cannot find an overload for “PSCredential” and the argument count: “2”.

Like I said, your quotes are invalid. Replace them. Just look at them, they curl up all pretty. If you replace them with quotes that you type, it will work. I’ve tested your code after fixing them, that’s how I know. Look at the difference.

“$myUser”

“$myUser”

You are right. I removed all the quotes and it worked. Thanks.

But now the other issue is, am running the Script 2 as SYSTEM user. So passing the $BkeyFile and $BCredFile does not help. It says that “Error Message = Either the target name is incorrect or the server has rejected the client credentials.” But if i run the script as logged in user the same it works.

$FriendlyName = REMOTECOMP

$User = XYZABCD
$BkeyFile = C:\temp\TS\PWDKey.key
$BcredFile = C:\temp\TS\PWDCred.cred

$encrypted = Get-Content $BcredFile | ConvertTo-SecureString -key (Get-Content $BkeyFile)
$mycred = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList $User, $encrypted

Get-ADComputer $FriendlyName -Credential $mycred

How exactly are you running it? Also, you do want to quote the REMOTECOMPUTER string. I wouldn’t have removed any quotes, just replaced with valid quotes.

Added the quote on the RemoteComputer String now.

So these PS1 will be triggered by using local computer account on the remote machine. Since local computer does not have access to modify the AD object. we had to pass the credentials. Similar to Task Scheduler Job

So you’re using task scheduler to run the script? Psexec? WMI process create()?

Not exactly Task Schedule. So let me explain in detail. We use Microsoft SCCM to image OS. As the OS Image is build there are messages that are sent from Client to Server. So once a specific message ID is received on the server then we trigger the powershell script to modify the AD group of the computer object. By default the script will run as the local computer account [Verified by calling $env:UserName] . Since local computer account does not have permission to modify so we have to use the different credentials. So using the above method to see if it works.

If i use the password without encrypting, it works, like below

$User = “XYZABCD”

$FriendlyName = “REMOTECOMP”

[string][ValidateNotNullOrEmpty()] $encrypted = “@Password1

$userPassword = ConvertTo-SecureString -String $encrypted -AsPlainText -Force
$mycred = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList $User, $userPassword

Get-ADComputer $FriendlyName -Credential $mycred

Yeah not sure what is causing your issue. I ran the ps1 as system using psexec and it provided the proper user back.

Test.PS1 saved on the remote PC under c:\temp

$User = "it"
$BkeyFile = "C:\temp\PWDKey.key"
$BcredFile = "C:\temp\PWDCred.cred"

$encrypted = Get-Content $BcredFile | ConvertTo-SecureString -key (Get-Content $BkeyFile)
$mycred = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList "$User", $encrypted
Write-Output $mycred

The PSExec command

PsExec.exe \\win10-dev /s "cmd.exe" "/c whoami && powershell.exe c:\temp\test.ps1"

The output

nt authority\system
UserName Password
-------- --------
it       System.Security.SecureString

Now for your get-adcomputer command to work on the new machine, it will need to have the AD module/cmdlets available. Is that built into your image? If not, how are you handling that?