BigDaddyO Posted November 28, 2017 Share Posted November 28, 2017 I'm working on a script that will allow me to split up some spreadsheets that drive an automation script into 4 pieces, then it will execute RDP sessions into 4 other systems. Those 4 system have the script set to launch on startup and so far it's working well but the problem is, the scripts need to log into some production systems which require UserID's, passwords, and some other info passed to them in order to login and run. I'm thinking about creating an .ini file on a network share to store/share the info, but I need to Encrypt/Decrypt the Creds. Is there some way to generate a custom Encryption Key that will only generate if logged in with a specific AD account so I can generate the Key on any system as long as I'm logged in with the same account? Different people may launch this so it has to be keyed to whoever is launching it. If anyone has some other method to securely pass Credentials/info to remote scripts that would be better, I'd love to hear it. Thanks, Mike Link to comment Share on other sites More sharing options...
junkew Posted November 28, 2017 Share Posted November 28, 2017 https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication Earthshine 1 FAQ 31 How to click some elements, FAQ 40 Test automation with AutoIt, Multithreading CLR .NET Powershell CMDLets Link to comment Share on other sites More sharing options...
orbs Posted November 29, 2017 Share Posted November 29, 2017 @BigDaddyO, taking your description literally, it cannot be done. you cannot give a user permission to execute the script & read the credentials source, but deny the ability to uncover the credentials. however, it is possible if you define your scenario properly. for an adequate solution, the following conditions must be considered: 1) is your script desktop-oriented, or can it execute at the background (headless)? if it is desktop-oriented, can it be converted to work headless? 2) is the user (person) executing your script also need to interact with it? 3) does your script work differently for each user? do you need to log who is the user executing your script? 4) how heterogeneous are those production systems? e.g. are they all Windows-based? in the same AD domain? off hand i'd say, in a simple scenario, you can schedule your script to execute at startup with a dedicated AD account that has access to the credentials data (or has the credentials stored in its Credential Manager). define your scenario properly, and you may get better suggestions. Earthshine 1 Signature - my forum contributions: Spoiler UDF: LFN - support for long file names (over 260 characters) InputImpose - impose valid characters in an input control TimeConvert - convert UTC to/from local time and/or reformat the string representation AMF - accept multiple files from Windows Explorer context menu DateDuration - literal description of the difference between given dates Apps: Touch - set the "modified" timestamp of a file to current time Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes SPDiff - Single-Pane Text Diff Link to comment Share on other sites More sharing options...
BigDaddyO Posted November 29, 2017 Author Share Posted November 29, 2017 KeePass can somehow link itself to an AD account so only if you are logged in with the AD account can you open that database. That's what I wanted to do with the encrypted ini file. For now, i'm using the users AD SID as the key with _Crypt_EncryptData to encrypt the values I store in the INI on the network. I'm also encrypting the actual .ini file so when it Decrypts the file it will go to the local temp folder, not the network share. Link to comment Share on other sites More sharing options...
Juvigy Posted November 29, 2017 Share Posted November 29, 2017 You can hard code the AD accounts and allow your script to be run only from that list of AD accounts. Then you wont need anything else! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now