I'm looking for a way to generate SecureString passwords for a service account without having to log in directly with that account. Typically, I use Get-Credential along with Read-Host to create these SecureStrings manually by logging in as that service account, but it seems like there might be a more efficient method. Specifically, I need to produce encrypted passwords stored in an XML file that are utilized by a Task Scheduler script to access several FTP servers. I initially tried this method, but it didn't work as expected:
```powershell
$c = Get-Credential -Message "login as the user account running the script"
$sstring = Read-Host "PW to encrypt" -AsSecureString -credential $c
$ssout = ConvertFrom-SecureString $sstring
Set-Clipboard -Value $ssout
Write-Host "The secure string $ssout has been copied to the clipboard"
```
Any suggestions for generating those SecureStrings without having to log in as the service account?
3 Answers
Just a heads-up: SecureStrings are designed to be user and machine-specific. If you try to use them on a different machine or user, you'll run into issues. Therefore, checking out Group Managed Service Accounts (gMSAs) might be a worthwhile option for your scenario.
I totally get where you're coming from about wanting to generate those value without logging in as the service account directly. One way to do this is by setting up a constrained endpoint on your server that runs the scheduled task account. Then, use `invoke-command` to execute the password creation remotely, which could save you some hassle.
To create a SecureString, you should consider the fact that they are tied to the user account on the same machine. A more secure method than just converting plain text is to include an Initialization Vector (IV) for enhanced security. However, remember that SecureStrings are not foolproof. You might want to explore alternatives like Group Managed Service Accounts or using Kerberos authentication instead. By avoiding direct credential transmission, you would greatly improve security.
Going the route of certificates could definitely be smarter. Having your private key managed at a Certificate Authority would be much safer than safeguarding a 16-byte array.
Also, you could consider pulling the passwords from a secure vault instead. Managing access through a vault that a service account can access is a good compromise.