-
Notifications
You must be signed in to change notification settings - Fork 0
/
unencryptedCredentials.ps1
107 lines (97 loc) · 3.62 KB
/
unencryptedCredentials.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#Prompt user for their credentials
#credentials will be unencrypted in the MOF
$promptedCreds = get-credential -Message "Please enter your credentials to generate a DSC MOF:"
#Store passwords in plaintext, in the document itself
#will also be stored in plaintext in the mof
$password = "ThisIsAPlaintextPassword" | ConvertTo-SecureString -asPlainText -Force
$username = "badIdea"
[PSCredential] $credential = New-Object System.Management.Automation.PSCredential($username,$password)
#DSC requires explicit confirmation before storing passwords insecurely
$ConfigurationData = @{
AllNodes = @(
@{
#the "*" means "all nodes named in ConfigData" so we don't have to repeat ourselves
NodeName="*"
PSDscAllowPlainTextPassword = $true
},
#however, each node still needs to be explicitly defined for "*" to have meaning
@{
NodeName = "testMachine1"
},
#we can also use a property to define node-specific passwords, although this is no more secure
@{
NodeName = "testMachine2";
UserName = "zach"
LocalPass = "ThisIsYetAnotherPlaintextPassword"
}
)
}
configuration unencryptedPasswordDemo
{
Node "testMachine1"
{
#we use the plaintext password to generate a new account
User zach
{
UserName = $username
Password = $credential
Description = "local account"
Ensure = "Present"
Disabled = $false
PasswordNeverExpires = $true
PasswordChangeRequired = $false
}
#and we use the prompted password to add this account to the local admins group
Group addToAdmin
{
#we need to ensure the user exists before we add him to a group
DependsOn = "[User]zach"
Credential = $promptedCreds
GroupName = "Administrators"
Ensure = "Present"
MembersToInclude = "zach"
}
Log test
{
Message = "hi"
}
}
Node "testMachine2"
{
#now let's allocate the node-specific password to this machine
$password = $Node.LocalPass | ConvertTo-SecureString -asPlainText -Force
$username = $node.UserName
[PSCredential] $nodeCred = New-Object System.Management.Automation.PSCredential($username,$password)
User zach
{
UserName = $username
Password = $nodeCred
Description = "local account"
Ensure = "Present"
Disabled = $false
PasswordNeverExpires = $true
PasswordChangeRequired = $false
}
Group addToAdmin
{
Credential = $domain
GroupName = "Administrators"
DependsOn = "[User]zach"
Ensure = "Present"
MembersToInclude = "zach"
}
Log test
{
Message = "hi"
}
}
}
#We declared the configurationData in a local variable, but we need to pass it in to our configuration function
#We need to invoke the configuration function we created to generate a MOF
unencryptedPasswordDemo -ConfigurationData $ConfigurationData
#we need to pass the MOF to the machines we named.
#-wait: doesn't use jobs so we get blocked at the prompt until the configuration is done
#-verbose: so we can see what's going on and catch any errors
#-force: for testing purposes, I run start-dscconfiguration frequently + want to make sure i'm
# not blocked by previous configurations that are still running
Start-DscConfiguration ./unencryptedPasswordDemo -verbose -wait -force