Huddled Masses » Credentials http://huddledmasses.org You can do more than breathe for free... Sat, 28 Jan 2012 21:37:20 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Using alternate credentials with the FileSystem in PowerShell http://huddledmasses.org/using-alternate-credentials-with-the-filesystem-in-powershell/ http://huddledmasses.org/using-alternate-credentials-with-the-filesystem-in-powershell/#comments Fri, 21 May 2010 04:53:55 +0000 Joel 'Jaykul' Bennett http://huddledmasses.org/?p=1478 In PowerShell, cmdlets like Get-ChildItem and Get-Content support a -Credential parameter so you can access resources that require you to log in… the problem is that the built-in FileSystem provider does not. So as an example, if you have a server on a different domain and you want to copy files off of it, you can’t do this:

$cred = Get-Credential
Copy-Item \Server\Share\Folder\*.log C:\Logs -Credential $cred

That will throw an error: “Cannot retrieve the dynamic parameters for the cmdlet. The provider does not support the use of credentials. Perform the operation again without specifying credentials.”

Impersonation

To solve this problem at work, I’ve written an impersonation module. It basically has two methods: Push-ImpersonationContext and Pop-ImpersonationContext. There is one catch: you need to be running in single-threaded apartment mode for it to work, because the impersonation only affects the current thread (if you’re not running PowerShell.exe -STA, your commands execute on a thread pool, so you never know from one to the next what thread you’ll be on). In any case, you use it like this:

$cred = Get-Credential
Push-ImpersonationContext $cred
Copy-Item \Server\Share\Folder\*.log C:\Logs
Pop-ImpersonationContext
 

It’s really very simple, and works great for when you need to access resources across multiple domains. Particularly files, for which PowerShell doesn’t support alternate credentials at all. :( Anyway the module code is on PoshCode, save it to your Documents\WindowsPowerShell\Modules\Impersonation\Impersonation.psm1 and use Import-Module Impersonation to load it. Here you go:

Reblog this post [with Zemanta]
]]> http://huddledmasses.org/using-alternate-credentials-with-the-filesystem-in-powershell/feed/ 0 A Better Get-Credential in one line of code http://huddledmasses.org/a-better-get-credential-in-one-line-of-code/ http://huddledmasses.org/a-better-get-credential-in-one-line-of-code/#comments Mon, 17 Nov 2008 21:14:54 +0000 Joel 'Jaykul' Bennett http://huddledmasses.org/a-better-get-credential-in-one-line-of-code/ For too long I have ignored the deficiencies in Get-Credential, so now I am going to fix them. Ready?


function Get-Credential($caption,$msg,$domain,$name){$Host.UI.PromptForCredential($caption,$msg,$name,$domain)}

Ok, that’s better than the default, whew! ;) At least you can specify the prompt text and the domain and default user name … but there are so many other options that are missing from that dialog —like remembering my credentials for goodness sakes. I know many places forbid using the “remember” option for credentials, but why is that decision not up to me?

Well, I can’t make all of those options appear (at least, not without compiling a pinvoke function to call the Win32 API) nor can I force PowerShell to use the new Vista/2008 Credential function (which is Common Criteria compliant in Vista) instead of the older CredUIPromptForCredentials ... but I can give you the most requested feature for Get-Credential: a -Console option to force the prompt to happen in the console instead of in a “CredUI” pop up.

[new] Note: I kind-of messed up here, this will break if you’re used to using the -Credential parameter for Get-Credential to provide a default user name. I’ll fix it shortly.

]]> http://huddledmasses.org/a-better-get-credential-in-one-line-of-code/feed/ 0