Windows Server

Shopping for Credentials with Cmdkey.exe

A lot of my work is done from a standalone computer, in other words one that doesn’t belong to a domain. But, I often need to access things in my test lab domain. If it is PowerShell related, I can often get by using a –Credential parameter if the cmdlet I want to use happens to support it. In other situations, applying alternate credentials can be tedious. But there is a useful command-line tool that makes it easy to shop for the credentials you need. I’m pretty sure there is a graphical alternative, but the command line is so much faster.

The utility in question is called cmdkey.exe. You can even run it in PowerShell. Because this is a command-line tool, you’ll need to learn its syntax.

Cmdkey /?
Syntax information for cmdkey.exe. (Image Credit: Jeff Hicks)
Syntax information for cmdkey.exe. (Image Credit: Jeff Hicks)

Let me show you how you might use it in a domain environment. I’m sure you are familiar with the concept of Least Privileged Use, which should apply to domain administrators as well. The account you logon on with and run your daily work under should be a non-privileged account. It should be like any other user account. You should then have a separate domain admin account that can be connected with you.

Personally, I don’t think anyone should use the administrator account. Even with logging it is next to impossible to know who used it. Was it John or Jane? Or was it someone unauthorized? Instead create domain admin accounts with a name like da_john and da_jane. Something that indicates who the domain admin account belongs to. Now I can have a meaningful audit trail and if I see the administrator account in use, then I know there is a problem because nobody should be using it.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Here’s where cmdkey can come in handy. In my domain, there is a user Jack Frost. He has a non-privileged account (jfrost) as well as a domain admin account (da_jack). Right now, Jack has no credentials stored.

Jack Frost has no credentials. (Image Credit: Jeff Hicks)
Jack Frost has no credentials. (Image Credit: Jeff Hicks)

In PowerShell, if he tries an operation that requires admin privileges, it will fail, unless he uses his domain admin credential.

Jack Frost has attempted to run an operation that requires admin privileges. (Image Credit: Jeff Hicks)
Jack Frost has attempted to run an operation that requires admin privileges. (Image Credit: Jeff Hicks)

On one hand, it may not be that big a deal to specify the credential. In fact, beginning with PowerShell 3.0, he could even set a default parameter value so that any cmdlet that had a –Credential parameter would use the domain account.

$cred = get-credential globomantics\da_jack

Now any command with –Credential will use this value. But this doesn’t help for everything else.

This is where cmdkey is a real timesaver. Jack can add an entry to his store for Chi-fp02. Run cmdkey /add /? to see all the options.

Cmdkey /add:chi-fp02 /user:globomantics\da_jack /pass
The credential has been added successfully. (Image Credit: Jeff Hicks)
The credential has been added successfully. (Image Credit: Jeff Hicks)

I also could have entered the password as part of the cmdkey command.

Cmdkey /add:chi-fp02 /user:globomantics\da_jack /pass:MyPasswordHere

But now it is stored and persistent.

Currently stored credentials. (Image Credit: Jeff Hicks)
Currently stored credentials. (Image Credit: Jeff Hicks)

When Jack tries to access the target, Windows will use this stored password.

At some point, Jack will need to change his password. He can re-run the Add command with the new password. You can also delete items by target name.

Cmdkey /delete:chi-fp02

However, the previous credentials are cached until the user logs off.

If you need to authenticate for multiple computers, you’ll need to add an entry for each one. A command like this will fail.

Cmdkey /add:chi-* /user:globomantics\da_jack /pass:MyPasswordHere

But it isn’t too difficult to process a list of computer names and add a credential for each one.

get-content c:\work\chi.txt | foreach { cmdkey /add:$_ /user:globomantics\da_jack /pass:[email protected]}

Now, even without a setting in $PSDefaultParameterValues, Jack can do all of the domain admin work he needs without having to bother entering his domain admin credentials.

But the activity can be tracked to his domain admin account.

So if you have been running your daily work under a domain account because it is easier, think again. There are potentially serious security consequences. But using something like cmdkey should take away the pain. Of course, be sure to lock your computer when you step away from your desk. But you do that anyway, right?

Do you use cmdkey? How do you handle the burden of maintaining and using a separate domain admin account? I hope you’ll share in the comments.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: