
close
close
Chance to win $250 in Petri 2023 Audience Survey
A lot of my work is done from a standalone computer, in other words one that doesn’t belong to a domain. But, I often need to access things in my test lab domain. If it is PowerShell related, I can often get by using a –Credential parameter if the cmdlet I want to use happens to support it. In other situations, applying alternate credentials can be tedious. But there is a useful command-line tool that makes it easy to shop for the credentials you need. I’m pretty sure there is a graphical alternative, but the command line is so much faster.
The utility in question is called cmdkey.exe. You can even run it in PowerShell. Because this is a command-line tool, you’ll need to learn its syntax.
Cmdkey /?
Syntax information for cmdkey.exe. (Image Credit: Jeff Hicks)
Jack Frost has no credentials. (Image Credit: Jeff Hicks)
Jack Frost has attempted to run an operation that requires admin privileges. (Image Credit: Jeff Hicks)
$cred = get-credential globomantics\da_jack
$PSDefaultParameterValues.add("*:Credential",$cred)
Now any command with –Credential will use this value. But this doesn’t help for everything else.
This is where cmdkey is a real timesaver. Jack can add an entry to his store for Chi-fp02. Run cmdkey /add /? to see all the options.
Cmdkey /add:chi-fp02 /user:globomantics\da_jack /pass
The credential has been added successfully. (Image Credit: Jeff Hicks)
Cmdkey /add:chi-fp02 /user:globomantics\da_jack /pass:MyPasswordHere
But now it is stored and persistent.
Currently stored credentials. (Image Credit: Jeff Hicks)
Cmdkey /delete:chi-fp02
However, the previous credentials are cached until the user logs off.
If you need to authenticate for multiple computers, you’ll need to add an entry for each one. A command like this will fail.
Cmdkey /add:chi-* /user:globomantics\da_jack /pass:MyPasswordHere
But it isn’t too difficult to process a list of computer names and add a credential for each one.
get-content c:\work\chi.txt | foreach { cmdkey /add:$_ /user:globomantics\da_jack /pass:P@ssw0rd}
Now, even without a setting in $PSDefaultParameterValues, Jack can do all of the domain admin work he needs without having to bother entering his domain admin credentials.
But the activity can be tracked to his domain admin account.
So if you have been running your daily work under a domain account because it is easier, think again. There are potentially serious security consequences. But using something like cmdkey should take away the pain. Of course, be sure to lock your computer when you step away from your desk. But you do that anyway, right?
Do you use cmdkey? How do you handle the burden of maintaining and using a separate domain admin account? I hope you’ll share in the comments.
More in Windows Server
Microsoft Rolls Out Fix for LSASS Memory Leak Bug Affecting Windows Server
Dec 14, 2022 | Rabia Noureen
Latest Patch Tuesday Updates Cause Freezes, Reboots on Domain Controllers
Nov 25, 2022 | Rabia Noureen
Microsoft Releases Fix for Kerberos Authentication Issues on Domain Controllers
Nov 18, 2022 | Rabia Noureen
Most popular on petri