I'm working with Keeper PAM to update the password for a service account in Active Directory, and after I rotate the password, I need to run a script. This script, which also runs under the same service account, should update its entry in Windows Credential Manager on a remote server. I'm still learning PowerShell, and I've tried several methods like Invoke-Command, CredSSP-based connections, and others, but they seem to fail because remote sessions use a 'network' logon, preventing me from creating or updating Generic Credentials. I'm looking for a way to perform an interactive logon or automate the credential update without relying on scheduled tasks or hardcoded admin passwords. Any suggestions?
5 Answers
You might want to explore whether using Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) could help your situation. These accounts are specifically designed for scenarios like this, balancing security with automation.
Have you considered using a Scheduled Task that can interact with the credential store? This might allow you to fetch the new password and update the connection manually when needed.
Just a heads up: `Enter-PSSession` is meant for interactive sessions and won't work as expected in scripts. Instead, you should stick with `Invoke-Command` for executing commands on a remote target.
I'm not sure about the specific credential manager module, but remember that entering a PSSession won't carry over your local variables. You might want to use the `$using` scope to access them properly. It could also be handy to pass the entire record object as a parameter to `Invoke-Command`. Check this out:
```powershell
Invoke-Command -ComputerName $ComputerName -Credential $credential {
New-StoredCredential -Target $using:domainUser -UserName $using:domainUser -Password $using:newPassword -Type 'Generic' -Persist 'Enterprise'
}
```
It sounds like you're dealing with a common double-hop authentication issue. There are others in this forum who have tackled similar problems before, so you might find some helpful insights in previous discussions.
True, but keep in mind that they might not fit every use case. They really simplify things when applicable!