Question:
Trying is use cmdkey in a PowerShell logon script to store credentials in the credential manager. When the script is run from PowerShell ISE everything works, but when it’s run as a logon script via Group Policy everything but cmdkey works. Cannot for the life of me figure out why cmdkey will work everywhere except when the script run on logon.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# Checks if CRM for Outlook is isntalled by checking the folder path $installed = Test-Path "C:\Program Files (x86)\Microsoft Dynamics CRM" # Checks if the CRM has already been configured using the CoreConfigured registry entry $configured = Get-ItemProperty -Path HKCU:\software\Microsoft\MSCRMClient -Name "CoreConfigured" # If CRM is installed and not configured, configure it, if CRM is not installed or installed and configured, exit If ($installed -eq "True" -and $configured.CoreConfigured -ne 1) { $message1 = New-object -ComObject Wscript.Shell $message1.Popup("Preparing to configure Microsoft CRM for Outlook, please make sure Outlook is closed.",10,"Systems") # Prompts user for email address and Password to configure CRM for Outlook $c = Get-Credential -Message "To confgiure CRM, please enter your email address and password:" # puts user credentials into Windows Credential Manager using required CRM URLs cmdkey /generic:Microsoft_CRM_https://disco.crm.dynamics.com/ /user: $c.Username /pass: $c.Password | Out-Null cmdkey /generic:Microsoft_CRM_https://disco.crm4.dynamics.com/ /user: $c.Username /pass: $c.Password | Out-Null $message2 = New-Object -ComObject Wscript.Shell $message2.Popup("Please wait, a notification will appear when the configuration is complete.",10,"Systems") # Silenty runs the CRM configuration Wizard with custom XML file $exe = "C:\Program Files (x86)\Microsoft Dynamics CRM\Client\ConfigWizard\Microsoft.Crm.Application.Outlook.ConfigWizard.exe" &$exe -p /Q /i 'C:\Program Files (x86)\Microsoft Dynamics CRM\Default_Client_Config.xml' /xa /l 'c:\temp\crminstall.txt' | Out-Null $message3 = New-Object -ComObject Wscript.Shell $message3.Popup("Configuration complete! You may now open Outlook!",10,"Systems") } else { exit } |
Answer:
I imagine cmdkey is using Microsoft’s Data Protection API (DPAPI) to encrypt credentials so only the current user can retrieve them. You can’t use this API unless the user’s session is loaded. When your script runs, it may be too early in the logon process for the security information the DPAPI needs is loaded. I’m not sure how logon scripts work, but try putting a delay in your logon script until you get a value back.
Here’s the PowerShell code that encrypts with the DPAPI:
|
1 2 3 4 |
$scope = [Security.Cryptography.DataProtectionScope]::CurrentUser $encryptedBytes = [Security.Cryptography.ProtectedData]::Protect( $plainBytes, $null, $scope ) $decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect( $encryptedBytes, $null, 0 ) |
Add a loop in your logn script that tries to encrypt/decrypt some random array of bytes until it succeeds.