PowerShell Get-Credential Cmdlet for Managing Credentials

Published:14 June 2019 - 2 min. read

Credentials are a ubiquitous object in PowerShell. Let’s dive right in and learn how we can use the PowerShell Get-Credential cmdlet and also learn how to create PSCredential objects without getting prompted.

PSCredential objects are a creative way to store and pass credentials to various services securely. Many built-in and third-party cmdlets require PSCredential objects on many different commands.

Using Get-Credential

Typically, to create a PSCredential object, you’d use the Get-Credential cmdlet. The Get-Credential cmdlet is the most common way that PowerShell receives input to create the PSCredential object like the username and password.

Get-Credential
Get-Credential

The Get-Credential cmdlet works fine and all but it’s interactive. There’s no way to seamless pass values to it. Every time it’s run, it will either prompt for the username and password at the console or pop up a dialog box asking for the username and password.

Create a Credential without a Prompt

What if you’re working on an automated script that runs in a scheduled task or part of some more significant automation framework? In this case, there’s no one manning the console to type in a username and password. It’s now time to create a PSCredential object from scratch!

To build a PSCredential object with no interaction first requires encrypting the password. The PSCredential object needs a plain-text username and an encrypted string for the password.

To encrypt a password, you will convert a string to a secure string. You do that by using the ConvertTo-SecureString cmdlet. Pass a plain-text password to this cmdlet, and because it is plain text, we have to use the PlainText and Force parameters as well. PowerShell makes it inadvertently clear that you are passing a plain-text password here for sure.

$password = ConvertTo-SecureString 'MySecretPassword' -AsPlainText -Force

Once you have a secure string created, it’s now time to build the PSCredential object. To do this, use the New-Object cmdlet defining an object type of System.Management.Automation.PSCredential. The PSCredential class has a constructor that accepts the username and a secure string that we can use by enclosing both in a set of parentheses.

$credential = New-Object System.Management.Automation.PSCredential ('root', $password)

We now have a PSCredential object saved to do whatever we wish. At this point, we can pass the $credential variable to many different commands with a Credential parameter, and it’ll work great. To check to see it was created with the expected username and password, we can reference the UserName property which should display the username you used earlier.

PS> $credential.UserName
root

The password is encrypted, but if you read the password on the same computer and logged in user, you can use the GetNetworkCredential() method to see the password in plain text. Simply append GetNetworkCredential() to the end of the credential object but notice that you won’t immediately see the password.

PS> $credential.GetNetworkCredential()

UserName Domain
-------- ------
root

To see the password, you’ll need to use the Password property on the object that GetNetworkCredential() returns.

PS51> $credential.GetNetworkCredential().Password
MySecretPassword

The password that’s returned should be the same password that you provided early to the PSCredential constructor.

Summary

You can see that creating a PSCredential object without using the Get-Credential cmdlet isn’t too bad at all. In fact, the only task preventing this from being a PowerShell one-liner is just creating the secure string!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!