Cmdkey in PowerShell not working when run as a login script?
Trying - use cmdkey to login PowerShell script to store credentials in Credential Manager. When the script is run from PowerShell ISE everything works, but when it is run as a logon script via Group Policy everything works except cmdkey. Can't life for me figuring out why cmdkey will work everywhere except when the script is run at login.
# Checks if CRM for Outlook is isntalled by checking the folder path
$installed = Test-Path "C:\Program Files (x86)\Microsoft Dynamics CRM"
# Checks if the CRM has already been configured using the CoreConfigured registry entry
$configured = Get-ItemProperty -Path HKCU:\software\Microsoft\MSCRMClient -Name "CoreConfigured"
# If CRM is installed and not configured, configure it, if CRM is not installed or installed and configured, exit
If ($installed -eq "True" -and $configured.CoreConfigured -ne 1) {
$message1 = New-object -ComObject Wscript.Shell
$message1.Popup("Preparing to configure Microsoft CRM for Outlook, please make sure Outlook is closed.",10,"Systems")
# Prompts user for email address and Password to configure CRM for Outlook
$c = Get-Credential -Message "To confgiure CRM, please enter your email address and password:"
# puts user credentials into Windows Credential Manager using required CRM URLs
cmdkey /generic:Microsoft_CRM_https://disco.crm.dynamics.com/ /user: $c.Username /pass: $c.Password | Out-Null
cmdkey /generic:Microsoft_CRM_https://disco.crm4.dynamics.com/ /user: $c.Username /pass: $c.Password | Out-Null
$message2 = New-Object -ComObject Wscript.Shell
$message2.Popup("Please wait, a notification will appear when the configuration is complete.",10,"Systems")
# Silenty runs the CRM configuration Wizard with custom XML file
$exe = "C:\Program Files (x86)\Microsoft Dynamics CRM\Client\ConfigWizard\Microsoft.Crm.Application.Outlook.ConfigWizard.exe"
&$exe -p /Q /i 'C:\Program Files (x86)\Microsoft Dynamics CRM\Default_Client_Config.xml' /xa /l 'c:\temp\crminstall.txt' | Out-Null
$message3 = New-Object -ComObject Wscript.Shell
$message3.Popup("Configuration complete! You may now open Outlook!",10,"Systems")
}
else {
exit
}
source to share
I am assuming that cmdkey uses the Microsoft Data Protection API (DPAPI) to encrypt credentials, so only the current user can get them. You cannot use this API if no user session is loaded. When your script runs, it might be too early in the login process for the security information DPAPI needs. I'm not sure how the login scripts work, but try putting a delay in your login script until you return a value.
Here's the PowerShell code that encrypts with DPAPI:
$scope = [Security.Cryptography.DataProtectionScope]::CurrentUser
$encryptedBytes = [Security.Cryptography.ProtectedData]::Protect( $plainBytes, $null, $scope )
$decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect( $encryptedBytes, $null, 0 )
Add a loop to your logn script that tries to encrypt / decrypt some random byte array until it succeeds.
source to share
I had the same problem: cmdkey was not working in Powershell when run as Script user login.
In my case, the problem was related to user group membership. The user was a member of the Power Users group, but not a member of the Users group (or any other group).
According to this article from Microsoft , the Power Users group has “default user rights” and the Users group has rights to “perform general tasks such as launching applications, using local and network printers”.
The solution was to add users (users) to the Users group. This fixed the issue immediately and allowed the cmdkey to work in Powershell login scripts.
source to share
I had the same issue with the PowerShell GPO script login calling cmdkey.exe. Credentials populated in Credential Manager for users, but credentials administrators did not appear. I found out that credentials are stored in Credential Manager, but for an elevated user. If you run cmdkey / list in an elevated command prompt, you will see the credentials.
source to share