Skip to content

Credentials

Get-Credential

As a best practice, administrators should have two user accounts. Each administrator should have a standard user account that's used for day-to-day activity and a second account with administrative permissions. Separating these roles helps to avoid accidental damage to computer systems and limits the potential effects of malware. The Get-Credential cmdlet can help you use the administrative account while you're still signed in to a standard user account.

One way to elevate privileges when you run a script is to use the Run as administrator option when you open the Windows PowerShell prompt. If you use Run as administrator, you're prompted for credentials. So, all actions performed at that Windows PowerShell prompt use the credentials provided.

As an alternative to using Run as administrator for running a script, you can have your script prompt for credentials instead. Many Windows PowerShell cmdlets allow an alternate set of credentials to be provided. That way, the credentials that the script obtains can be used to run individual commands in the script. You can prompt for credentials by using Get-Credential. The syntax for using the Get-Credential cmdlet is:

$cred = Get-Credential
Set-ADUser -Identity $user -Department "Marketing" -Credential $cred

Storing Credentials

By Using Export-Clixml

You can store credentials to a file for later reuse without being prompted for credentials. To store credentials to a file, you use Export-Clixml. For a credential object, Export-Clixml encrypts the credential object before storing it in an XML file. Use the following syntax to store a credential object to a file.

$cred | Export-Clixml C:\cred.xml

The encryption used by Export-Clixml is user-specific and computer-specific. That means that if you store the encrypted credentials, only you can retrieve the encrypted credentials and only on the computer you originally used to store them. This action helps keep the credentials secure, but it also means that they can't be shared with other users.

By Using The SecretManagement Module

Microsoft has released the SecretManagement module that you can use to store and retrieve credentials. This method works better for storing credentials that can be shared among multiple users and computers. The cmdlets included in the SecretManagement module can access credentials from multiple secret vaults.

Some well-known vaults are:

  • KeePass
  • LastPass
  • CredMan
  • Azure KeyVault

The SecretManagement module is available in the PowerShell Gallery. You can install the SecretManagement module by running the following command:

Install-Module Microsoft.PowerShell.SecretManagement

Microsoft also provides the SecretStore module that you can use to create a local secret vault for storing credentials. However, similar to using Export-Clixml, the vault is stored on the local machine and in the current user context.