Troubled by a week of the addition of the problem, today finally to win, want to share the next process.
Last week, the user complained to the leader about their VM test environment, and needed to revert back and need to re-add the domain. Because this is the only my account has the domain permissions, and I do not have delegated permissions to other accounts to add domain. Obviously, if I take a day off, or when I'm not in office, user shouldn't be in a hurry. Manually let me key password process affect user productivity, so I find a way to solve this problem.
Scenario One: Convert the. bat script to an. exe executable file
The first scenario was that a former colleague helped me figure out that the netdom command used earlier in the domain was written as a bat file, and then a free tool called "Bat_to_exe_converter" was used to convert the bat to an Exe file to hide the plaintext displayed in bat.
Testing a few machines is still relatively smooth, but personally feel that the converted EXE files are sometimes not so smooth, since Microsoft has PowerShell commands, this can be a masterpiece, so began my PowerShell road.
Before I start, I post the add-in command for the bat file.
@ehco Offecho You login account:%username%echo Start joindomain...netdom join%computername%/domain:contoso.com/userd: Contoso.com\jason/passwordd:[email Protected]ehco.pause
Scenario Two: PowerShell encrypted credentials
There was a brief encounter with PowerShell, such as users and computers everywhere, and so on, but it was not very familiar to PowerShell as a whole. So it took a few days to find all kinds of documents.
The core idea is to be able to encrypt the plaintext password to use it, and also to be able to encrypt it across computers and users.
Also post my PowerShell code for ease of understanding.
I have two VMs in my environment.
pc1:shsv2018
pc2:shsv2019
First I will set up a share folder on the PC1, set the permissions for everyone to read, the inside will store the encrypted password file, the file is named Password.txt.
Encrypt the process code using 128-bit AES encryption. Encrypt a plaintext password and save the file to PC1
$File = "\\SHSV2018\SharePath\Password.txt" [byte[]] $key = (1..16) $Password = "[email protected]" | Convertto-securestring-asplaintext-force$password | Convertfrom-securestring-key $key | Out-file $File
Accessing encrypted password files from PC1
$File = "\\SHSV2018\SharePath\Password.txt" [byte[]] $key = (1..16) get-content $File | Convertto-securestring-key $key
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/A7/wKioL1g2uKWz6BzVAAFZlAwEfUk723.png "title=" 1123. PNG "alt=" Wkiol1g2ukwz6bzvaafzlawefuk723.png "/>
Accessing encrypted password files from PC2
$File = "\\SHSV2018\SharePath\Password.txt" [byte[]] $key = (1..16) get-content $File | Convertto-securestring-key $key
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/AB/wKiom1g2uc3gKq--AADFEasogeo219.png "title=" 1124. PNG "alt=" Wkiom1g2uc3gkq--aadfeasogeo219.png "/>
As you can see from the above two, remote access to encrypted files and decryption has been successfully implemented. The next step is to add the entire domain process.
$File = "\\SHSV2018\SharePath\Password.txt" [byte[]] $key = (1..16) $encpasswd = get-content $File $ss = convertto-secures Tring-string $encpasswd-key $key $cred = new-object System.Management.Automation.PSCredential ' Contoso\jason ', $ss add- Computer-domainname contoso.com-credential $cred
Save the entire code for ADDJOINDOMAIN.PS1, and right-select "Run with PowerShell" to execute the entire code, implementing the domain-adding process.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/8A/A7/wKioL1g2vD2AGSfFAAB-0jJUMaE931.png "title=" 1125. PNG "alt=" Wkiol1g2vd2agsffaab-0jjumae931.png "/>
Refer to the following article to focus on the process of PowerShell encryption.
http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-1/
PowerShell automates domain and encrypts credentials